Biometrics has the potential to make authentication dramatically faster, easier and more secure than traditional passwords, but companies need to be careful about the biometric data they collect. Credit: Shutterstock Biometrics definition Biometrics are physical or behavioral human characteristics to that can be used to digitally identify a person to grant access to systems, devices, or data. Examples of these biometric identifiers are fingerprints, facial patterns, voice or typing cadence. Each of these identifiers is considered unique to the individual, and they may be used in combination to ensure greater accuracy of identification. Because biometrics can provide a reasonable level of confidence in authenticating a person with less friction for the user, it has the potential to dramatically improve enterprise security. Computers and devices can unlock automatically when they detect the fingerprints of an approved user. Server room doors can swing open when they recognize the faces of trusted system administrators. Help desk systems might automatically pull up all relevant information when they recognize an employee’s voice on the support line. However, companies need to be careful about how they roll out their biometric authentication systems to avoid infringing on employee or customer privacy or improperly exposing sensitive information. After all, while it’s easy to issue a new password when the old one has been compromised, you can’t issue someone a new eyeball. How reliable is biometric authentication? Authentication credentials such as fingerprint scans or voice recordings can leak from devices, from company servers or from the software used to analyze them. There is also a high potential for false positives and false negatives. A facial recognition system might not recognize a user wearing makeup or glasses, or one who is sick or tired. Voices also vary. People sound different when they first wake up, or when they try to use their phone in a crowded public setting, or when they’re angry or impatient. Recognition systems can be fooled with masks, photos and voice recordings, with copies of fingerprints, or tricked by trusted family members or housemates when the legitimate user is asleep. The scourge of AI deepfakes is also casting doubt on the reliability of biometrics for authentication. Research firm Gartner predicts that “by 2026, attacks using AI-generated deepfakes on face biometrics will mean that 30% of enterprises will no longer consider such identity verification and authentication solutions to be reliable in isolation.” Experts recommend that companies use multiple types of authentication simultaneously and escalate quickly if they see warning signs. For example, if the fingerprint is a match but the face isn’t, or the account is being accessed from an unusual location at an unusual time, it might be time to switch to a backup authentication method or a second communication channel. This is particularly critical for financial transactions or password changes. Types of biometric identifiers A biometric identifier is one that is related to intrinsic human characteristics. They fall roughly into two categories: physical identifiers and behavioral identifiers. Physical identifiers Physical identifiers are, for the most part, immutable and device independent. These include: Fingerprints: Fingerprint scanners have become ubiquitous in recent years due to their widespread deployment on smartphones. Any device that can be touched, such as a phone screen, computer mouse or touchpad, or a door panel, has the potential to become an easy and convenient fingerprint scanner. Photo and video: If a device is equipped with a camera, it can easily be used for authentication. Facial recognition and retinal scans are two common approaches. Physiological recognition: These include facial recognition, hand geometry recognition, iris or retinal scanning, palm vein recognition, and ear recognition. Voice: Voice-based digital assistants and telephone-based service portals are already using voice recognition to identify users and authenticate customers. Signature: Digital signature scanners are already in widespread use at retail checkouts and in banks and are a good choice for situations where users and customers are already expecting to have to sign their names. DNA: Today, DNA scans are used primarily in law enforcement to identify suspects — and in the movies. In practice, DNA sequencing has been too slow for widespread use. This is starting to change. In 2018, a $1,000 scanner hit the market that can do a DNA match in minutes — and prices are likely to keep dropping. Behavioral identifiers Behavioral identifiers are a newer approach and are typically being used in conjunction with another method because of lower reliability. However, as technology improves, these behavioral identifiers may increase in prominence. Unlike physical identifiers, which are limited to a certain fixed set of human characteristics, the only limits to behavioral identifiers is the human imagination. Today, this approach is often used to distinguish between a human and a robot. That can help a company filter out spam or detect attempts to brute-force a login and password. As technology improves, the systems are likely to get better at accurately identifying individuals, but less effective at distinguishing between humans and robots. Here are some common approaches: Typing patterns: Everybody has a different typing style. The speed at which they type, the length of time it takes to go from one letter to another, the degree of impact on the keyboard. Physical movements: The way that someone walks is unique to an individual and can be used to authenticate employees in a building, or as a secondary layer of authentication for particularly sensitive locations. Navigation patterns: Mouse movements and finger movements on trackpads or touch-sensitive screens are unique to individuals and relatively easy to detect with software, no additional hardware required. Engagement patterns: We all interact with technology in different ways. How we open and use apps, how low we allow our battery to get, the locations and times of day we’re most likely to use our devices, the way we navigate websites, how we tilt our phones when we hold them, or even how often we check our social media accounts are all potentially unique behavioral characteristics. These behavior patterns can be used to distinguish people from bots, until the bots get better at imitating humans. And they can also be used in combination with other authentication methods, or, if the technology improves enough, as standalone security measures. What are the privacy risks of biometric authentication? Some users might not want companies collecting data about, say, the time of day and the locations where they typically use their phones. If this information gets out, it could potentially be used by stalkers or, in the case of celebrities, by tabloid journalists. Some users might not want their family members or spouses to know where they are all the time. The information could also be abused by repressive government regimes or criminal prosecutors overstepping boundaries. Foreign powers might use the information in an attempt to influence public opinion. Unethical marketers and advertisers might do likewise. In 2018, a fitness app was discovered to be collecting information about user locations and exposing it in a way that revealed the location of secret U.S. military bases and patrol routes. Any of these situations could potentially lead to significant public embarrassment for the company that collected the data, regulatory fines, or class-action lawsuits. If DNA scans become widespread, they give rise to a whole new area of privacy concerns such including exposure of medical conditions and family relationships. How secure is biometric authentication data? The security of the biometric authentication data is vitally important, even more than the security of passwords, since passwords can be easily changed if they are exposed. A fingerprint or retinal scan, however, is immutable. The release of this or other biometric information could put users at permanent risk and create significant legal exposure for the company that loses the data. At the end of the day, every company is responsible for its own security decisions. You can’t outsource compliance, but you can reduce the cost of compliance, and the possible repercussions of a leak, by picking the right vendor. If a small or mid-sized company uses, say, Google’s or Apple’s authentication technology and there’s a security breach with Google or Apple, it’s likely Google or Apple will get the blame. In addition, companies that don’t keep credentials on file have some legal protections. For example, many retailers can avoid substantial compliance costs by keeping their systems “out of scope.” Payment information is encrypted right at the payment terminal and goes straight through to a payment processor. Raw payment card data never touches the company servers, reducing both compliance implications and potential security risks. If a company needs to collect authentication information and keep it on its own servers, best-practice security measures should be applied. That includes encryption both for data at rest and data in transit. Encryption is not an absolute guarantee of security, of course, if the applications or users that are authorized to access the data are themselves compromised. However, there are a couple of ways that companies can avoid keeping even encrypted authentication data on their servers. Where is biometrics used? Enterprise use cases IDC predicts that European companies will spend $6.1 billion on biometrics solutions by 2026. Driven largely by efforts around automation and digitization in both employee experience and customer experience, biometrics will replace more traditional authentication and identification methods. These are the top enterprise use cases where businesses plan to invest in biometrics, according to the IDC research: Employee facility access control Employee time and attendance management Employee authentication for data access Customer enrollment identification Customer ID authentication Biometrics use cases and investment focus varies by industry. In finance, for example, biometrics investments will go to providing a more streamlined customer experience while also improving fraud prevention and detection. In transportation, smart ticketing will help to speed processing time at various checkpoints, like baggage drop and airport security. And in manufacturing, investments in biometrics will be focused on employee experience, including time tracking and access control. Biometrics for authentication: two approaches Local or device-based biometric authentication The most common example of a local authentication mechanism is the hardware security module in a smartphone. User information — such as a fingerprint scan, facial image or a voice print — is stored inside the module. When authentication is required, biometric information is collected by the fingerprint reader, camera or microphone and sent to the module where it’s compared to the original. The module tells the phone whether or not the new information is a match to what it already had stored. With this system, the raw biometric information is never accessible to any software or system outside the module, including the phone’s own operating system. On the iPhone, this is called the secure enclave and is available on every phone with an Apple A7 chip or newer. The first phone with this technology was the iPhone 5S, released in 2013. Similar technology is also available on Android phones. Samsung, for example, started rolling out the ARM TrustZone trusted execution environment with the Samsung S3 smartphone. Today, smartphone hardware security modules are used to provide security for Apple Pay, Google Pay and Samsung Pay as well as to authenticate third-party applications. PayPal, for example, can use a phone’s biometric sensor for authentication without PayPal ever seeing the actual biometric data itself. Square Cash, Venmo, Dropbox and many banking apps and password management apps leverage this authentication mechanism as well. Enterprises can also use smartphone-based biometric readers whenever their users or customers have access to smartphones, without ever having to collect and store any identifying biometric information on their own servers. Similar technology is available for other types of devices, such as smart cards, smart door locks, or fingerprint scanners for PCs. Smartphone-based authentication offers significant usability benefits. First, users tend to be immediately aware if they have misplaced or lost their smartphone and will take immediate steps to find or replace it. If, however, they misplace a badge that they only use to access a building during the off-hours, they might not notice for a while that it is missing. Smartphone manufacturers are also in the middle of an arms race to make their technology better and easier to use. No other industry — or individual company — can match the scale of mobile investment or the usability and security testing that phones receive. Finally, phone authentication offers users maximum flexibility. They can opt for phones with face ID, fingerprint scanners or voice recognition, or some other new technology that hasn’t been invented yet but will dominate the market tomorrow. However, using a third-party mechanism like consumer smartphones puts the authentication process outside enterprise control. Another downside to device-based authentication, in general, is that the identity information is limited to that one device. If people use a fingerprint to unlock their smartphone, they can’t then also use that same fingerprint to unlock their office door without separately authorizing the door lock, or to unlock their computer without separately authorizing their PC’s fingerprint scanner. Companies that need to authenticate users or customers on multiple devices in multiple locations need to either have some kind of centralized mechanism to store the authentication credentials or leverage a device that the user carries with them at all times. For example, companies can put the authentication mechanism inside a smart badge that employees wear around the office. They can also use a smartphone to authenticate the employee, then communicate the identity confirmation to other devices and systems via Bluetooth, NFC, WiFi or the internet. Tokenization or encryption Another approach to allowing new devices to recognize existing authorized users is tokenization, one-way encryption, or hashing functions. Say, for example, retinal, voice or fingerprint identification is used to recognize and authenticate employees wherever they might go within a company, but the company doesn’t want to have the image or audio files stored on servers where hackers or malicious employees might misuse them. Instead, the company would use a device that, say, scans a person’s face or fingerprint, converts that image into a unique code, then sends that code to the central server for authentication. Any device that uses the same conversion method would then be able to recognize the employee, and the raw identification data is never available on any system. The downside to this approach is that the company is then locked into a single proprietary authentication mechanism. More on biometrics 6 reasons biometrics are bad authenticators (and 1 acceptable use) Privacy, data protection regulations clamp down on biometrics use Badge privacy-preserving authentication tool launches with Okta integration Why you shouldn’t use your face as your password Self-sovereign biometrics and the future of digital identity SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe