Biometrics is the technical term for body measurements and calculations, and human characteristics. Biometric authentication if a form of identification and access control.
As biometric identifiers are unique to individuals, they are seen as more reliable for verifying one's identity than traditional token-based identification systems such as a passport, as well as knowledge-based identification systems such as a password. There are however privacy concerns and other disadvantages to using biometrics.
What is biometric data used for?
Biometric data is used to identify or authenticate a person using physical characteristics. The use of biometrics relies on the uniqueness, permanence and collectability of the particular trait being measured, e.g. fingerprint.
Once the trait is measured, live information can be compared and matched against the biometric database.
Common uses for biometric identification systems are:
- Law enforcement: Fingerprint, palm print and facial recognition.
- Border control: Electronic passports use fingerprint recognition, facial recognition, iris recognition or voice recognition.
- Healthcare: National identity cards for ID and health insurance programs use fingerprints for identification.
- Credit card companies: Credit card companies may use voice recognition to determine if the person on the phone is who they say they are.
India's Unique ID Authority of India Aadhaar program is one example of a nation using biometric identification widely. It is a multi-step biometric authentication program that incorporates iris scans, fingerprints and facial recognition. Once enrolled, biometric data is linked to a smart card, which is issued to each of India's 1.2 billion residents.
How do biometrics work?
If you have ever used facial recognition technology to unlock your Apple iPhone, you have used biometric authentication. What Apple is doing is recording your biometric information, in this case your face and storing it on your phone as a biometric template and then comparing it against live information each time you unlock your phone.
Before a biometric systems is used, an individual needs to be enrolled. The enrollment process gathers a measurement of the trait and stores it in a database as a biometric template. The template is then compared to live biometric data on subsequent uses. When you get a new iPhone and add your face to FaceID, you are doing the enrollment process.
After enrollment, biometric systems tend to operate in one of two modes:
- Biometric authentication: A one-to-one comparison of captured biometric data to an individual's biometric template to verify the individual is the person they claim to be. This is akin to logging into an account with a username and password.
- Biometric identification: A one-to-many comparison design to identify an unknown individual. If the system can match the biometric sample to a saved template within an acceptable threshold the person is identified. An example of biometric identification is using an attacker's typing pattern or IP attribution as part of digital forensics.
It's crucial for storage and retrieval to be secured for a biometric system to be considered robust.
How common is biometric technology?
Biometric authentication and identification is increasingly common in security systems, consumer electronics and point-of-sale applications.
There are two things driving this, security and convenience. With biometrics, there are no passwords to remember and no security token to lose. However, if biometrics are compromised, there is no way to change them unlike a password.
What can be used for biometrics?
There are many different aspects of physiology, chemistry or behavior that can be used as a biometric. The selection of a biometric should weigh up the following seven factors:
- Universality: Does everyone using the system possess the trait?
- Uniqueness: Is the trait sufficiently different for individuals in the relevant population so they can be distinguished from each other?
- Permanence: Does the trait vary over time?
- Measurability: How easy is it to acquire or measure the trait?
- Performance: How accurate, fast and robust is the technology used?
- Acceptability: How well will individuals in the relevant population accept the technology and their biometric data being captured and assessed?
- Circumvention: How easy is it to fake the trait with an artifact or substitute?
That said, proper biometric use is very application dependent. What may be an acceptable risk for a consumer's phone could be unacceptable for the United States Department of Homeland Security or police in New York.
Types of biometrics
Biometric identifiers are split into physiological characteristics and behavioral characteristics:
- Physiological characteristics: relate to the shape of the body.
- Behavioral characteristics: relate to the behavior of a person.
Examples of physiological characteristics:
- Fingerprints: Fingerprint scanners have become ubiquitous in recent years due to widespread deployment on smartphones.
- Iris scans: The shape of a person's eye can be used as a biometric.
- DNA: DNA is primarily used by law enforcement to identify suspects.
- Vein patterns: Vein patterns can be used to like a fingerprint or iris scan.
- Hand geometry: Some biometric security systems rely on hand geometry to identify an individual.
- Palm print: Like fingerprints, palm prints can be used as part of a security system.
- Face: Face recognition technology is often used for border control.
- Signature: Digital signature scanners are used at retail checkouts and in banks.
- Voice: Measures the unique sound waves in your voice as you speak to a device.
Examples of behavioral characteristics:
- Typing pattern: Everybody has a different typing style that could include typing speed and the length of time it takes to go from one letter to another.
- Physical movements: A person's gait can be used to identify an unauthorized person in a building, adding a second layer of authentication for particularly sensitive locations.
- Navigation patterns: Mouse movements and trackpad usage are unique to individuals and relatively easy to identify with software.
- Engagement patterns: How you open apps, how low you allow your battery to get, how often you pick up your phone are all potentially unique identifiers.
Are biometrics reliable?
Biometric measurement relies on statistical algorithms so it can not be 100% reliable when used alone. This has led many organizations to use biometrics as part of their defense in depth strategy.
Where the user needs to know something (password), have something (a two-factor authentication code) and be something (fingerprint). If the user lacks any of these three pieces of information, they won't be able to log in.
And while biometric data is harder to steal, fingerprints or voice recordings can still be stolen from devices, servers or the software that analyzes them.
There is also a potential for false positives and false negatives:
- False positives: The biometric systems accepts the biometric data despite it being fake. For example, a fingerprint reader may approve a fingerprint lifted from a glass in a false positive.
- False negatives: The biometric systems rejects the biometric data despite it coming from the same person.
What is a multimodal biometric system?
Multimodal biometric systems use multiple sensors or biometrics to overcome the limitations of unimodal (one biometric data point) systems.
For instance, iris recognition systems can be compromised with aging irises and electronic fingerprint recognition can be worsened by worn-out fingerprints.
Unlike unimodal systems, multimodal systems are not limited by the integrity of one identifier and it is unlikely several identifiers will suffer from limitations at the same time.
Multimodal systems can use the same marker (e.g. multiple scans of an iris) or information from different biometrics (e.g. fingerprint, iris scan and voice recognition).
Are biometrics safe?
There are serious security concerns when it comes to biometric data:
- Collecting biometric data is a huge cybersecurity risk. This is because biometric data is personally identifiable information (PII) that could be stolen in a data breach or accidentally exposed in a data leak. Storing biometric data is a cyber risk because it is an attractive target for potential attackers to sell on the dark web for identity theft or to use as part of a cyber attack or corporate espionage. The good news is most personal data or personal information tends to be a focus on information security teams. However, as biometrics becomes more common, it's likely it will become available in more places (e.g. third-party vendors) which may not employ the same level of security.
- As biometrics become more commonplace, people will begin to rely on them more in place of more common-sense security measures.
- Biometric data can't be changed, making it more vulnerable than other authentication methods. Once a fingerprint is compromised, you can't change it.
- Some biometric data can be duplicated for example, a criminal may lift a fingerprint from a glass.
- There is no cohesive law that dictates how biometric data should be stored and what is considered private, meaning your rights can differ from country to country and even state to state.
- Third-party vendors and their vendors may have access to biometric data and not have good security practices in place. This is known as third-party risk and fourth-party risk. The immutability of biometric data means that vendor risk management, a third-party risk management framework, an information security policy, a vendor management policy and cybersecurity risk assessments are more important when you or your vendors handle biometric data. Consider automating vendor risk management and looking for vendors with SOC 2.
How to secure biometric data
There are common ways to secure biometric data including:
- Using strong passwords and keeping biometric information in only a limited amount of places with tight security controls.
- Keep your device patched to avoid common vulnerability exploits like those posted on CVE.
- Using network security to reduce the threat of attackers gaining access to internal networks.
- Don't provide your biometric data if you don't believe it is being stored securely.
- Using configuration management to avoid configuration drift.
- Employing OPSEC professionals who can ensure the location or storage of biometric data isn't known.
- Continuously monitor your third and fourth-party vendors' security posture.
- Continuously scan for and discover data exposures related to any parts of your business.
What are the advantages of biometrics?
The advantages of biometrics include:
- Hard to fake or steal unlike knowledge or token-based authentication methods.
- Universal and can be found on all individuals.
- Unique allowing individuals to be differentiated.
- Measurable allowing for change over time.
- Easy to use and convenient.
- Change little over a person's life.
- Biometric templates take up little storage.
What are the disadvantages of biometrics?
The disadvantages of biometrics include:
- Biometrics systems are expensive to set up and maintain.
- If biometric data is not fully captured, it can fail to identify or authenticate a user.
- Databases holding biometric data can be hacked leading to data breaches of personally identifiable information (PII) and sensitive data. The cost of a data breach has never been higher at an estimate average total cost of $3.92 million. It's near impossible to know where data has gone once it has been exposed, which is why it is so important to prevent data breaches. In fact, one of the biggest data breaches involved Aadhaar and exposed 1.1 billion people's biometric data.
- Errors can cause false accepts.
- If a user is injured or disfigured biometric authentication may not work, e.g. a fingerprint sensor won't work if you lose the finger.
- Many countries, including the United States, are planning to share biometric data with other nations.
How UpGuard can prevent first and third-party data breaches
There's no question that cybersecurity is more important than ever before. That's why companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data and prevent data breaches.
UpGuard BreachSight can help combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We can even alert you if their score drops.