Using Biometrics in Security: Pros & Cons
Biometrics may sound like a new type of technology, but it has actually been around for decades and for a good reason—biometrics are hard to hack.
Why are biometrics used for security? Biometrics are used in security because they are always with you, and they are difficult to steal or replicate. This creates a much stronger security system for any organization’s network.
What Are Biometrics?
Biometric authentication, often referred to as “biometrics,” uses physical characteristics from a user as a credential for secure authentication and identity verification. Unlike other forms of authentication (like passwords or tokens), biometrics rely on essentially immutable, unique facets of a physical user to strengthen security by requiring both a strong form of verification and the physical presence of the user at the point of collection.
Generally speaking, there are three types of biometric security:
- Biological: These types are data from individuals at the molecular level, including DNA, blood samples, or other materials. These are incredibly \difficult to collect without special facilities.
- Morphological: These are physical structures on the body, including traits like eyes, faces, fingerprints, and so on. These are often the most common authentication used in business and consumer systems.
- Behavioral: These biometrics use ticks, patterns, and behaviors to determine identity. Behavioral authentication can include typing analysis, speech analysis, gait analysis, and so on. While these are becoming a more common form of authentication, behaviors are, strictly speaking, one of the easier forms of authentication to fake.
In order to be useful, a biometric marker must be unique (either absolutely or nearly so) to every user while also being feasible to collect. Therefore, standard forms of biometric authentication include the following:
- Fingerprints: Many mobile devices, from tablets to smartphones, already come with fingerprint scanners that can read this form of biometric. Fingerprint scanners are relatively easy to implement and have become a common form of authentication for access to physical devices and as part of multi-factor authentication solutions.
- Facial Scans: Modern iPhones and many laptops have migrated to facial scans. An embedded camera will take a facial picture or video as input and compare it against unique scanning information.
- Iris Scans: Much like fingerprints and faces, the human iris is seen as a secure and unique form of biometric authentication. More modern applications are looking at iris scanning (if they haven’t already implemented it) because they work with the same technology that a facial scan does—a camera or other sensor.|
- Voice Recognition: Voice authentication was often considered unsuitable for verification because it was relatively easy to fake. However, a few years and innovations later, voice is seen as a viable and useful form of biometric authentication.
Outside of these common types, there are others that, while useful, are used less, or in unique circumstances:
- Gait Recognition: Machines can analyze gait style to determine user identity. Deploying this kind of biometric authentication is rather difficult in any situation unless using video cameras in a public space.
- Blood and DNA: DNA and blood samples are, almost exclusively, seen as private health information, and outside of particular health considerations, criminal investigations, or the highest levels of security, DNA isn’t seen as a viable, or even necessary, form of biometric identification.
What Are the Components of a Biometric Security System?
The components of a biometrics system are similar to other authentication systems, with the added hardware and software for processing biometric data.
The following are typical components of a biometric system:
- Input Sensors: To collect and compare biometric data, hardware must be in place to gather that data. In the earliest days of bio-authentication, one of the biggest limiters against adoption was the availability of collection devices. Still, the explosion of mobile devices and affordable hardware has changed that reality drastically.
Input sensors will vary based on the type of biometric authentication. Fingerprint scanners, for example, are almost always embedded into hardware as a distinct finger pad that can read that information. Facial and iris scanners leverage the availability of cameras in devices to take physical images of these body parts.
- Processing Units: While data processing is a prominent part of any authentication system, biometrics require special software to complement the hardware and the stored biometric data. The processing component will take the raw physical data provided through the sensor, extract the notable characteristics of that data and, depending on the type deployed, turn it into computer-readable data that can compare against data stored in a database.
- Storage: Biometric data is stored as a “biometric template.” Rather than store a raw picture of, say, a fingerprint (a clear privacy and compliance problem), the system will translate traits into machine data and use it as a template to compare against the physical input provided.
While these systems can be hacked, it is prohibitively difficult to use hacked biometrics in any meaningful way.
Are Modern Biometrics Reliable?
The short answer is yes.
Not all forms are created equal, and no security system is 100% effective. However, biometrics offer higher levels of security that are otherwise not available through several features and mechanisms:
- Immutable Identification: Most usable biometrics (e.g., fingerprints and iris scans) are unique to the user. As such, it’s difficult to fake access to a system and much easier to ensure that the user accessing an account or resource is who they say they are.
- Complex MFA: Biometrics, combined with SMS or email-based tokens or passwords, can serve as part of a robust MFA system that helps secure accounts and make them harder to hack through traditional means (e.g., password cracking, database hacks, phishing, etc.).
- Convenience: Biometrics are easy to implement. User experience is often a barrier to good security practices (see poor or shared passwords), and they can mitigate that problem.
- Passwordless Authentication: Biometrics can also serve as the foundation for a biometric password or, ultimately, a passwordless system where users do not have to create, remember, or manage a password to use a system—all without sacrificing security.
However, these truisms aren’t expected to hold forever, and even the strongest biometrics won’t eliminate the potential for credential spoofing. Even now, there have been instances of hackers spoofing fingerprints, voice analysis, and facial scans with hacked data. The future of this authentication will expand these services into advanced biometrics like identity proofing and liveness tests.
1Kosmos: Advanced Biometrics and Passwordless Security
Most compliance and security standards will require, at minimum, some form of MFA that includes biometric security. However, as attacks and vulnerabilities evolve, this too will require additional security factors to guarantee the user is who they say they are at the time of authentication. This involves a system that can prove and manage identity while streamlining biometrics in a compliant and user-friendly system.
This is 1Kosmos. The 1Kosmos BlockID system brings advanced biometrics, distributed identity management, and simple user onboarding to enterprise organizations worldwide. The BlockID solution supports advanced authentication and compliance with the following features:
- Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
- Identity-Based Authentication Orchestration: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through identity credential triangulation and validation.
- Integration with Secure MFA: BlockID readily integrates with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication.
- Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.
- Privacy by Design: 1Kosmos protects personally identifiable information in a private blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification.
If you’re ready to learn more about biometrics and passwordless authentication, watch the webinar The Journey to Passwordless with 1Kosmos and Ed Amoroso of TAG Cyber. Also, make sure to sign up for the 1Kosmos newsletter to learn more about our products, services, and events.