What Is Biometric Authentication? Uses, Benefits & How It Works

Biometric authentication, once the stuff of spy films and the military, now features in our everyday tech lives — from unlocking smartphones to going through passport control. It’s also become an important tool in the fight against cybercrime and identity fraud, such as phishing and account takeover. Biometric authentication creates a more user-friendly and secure login pathway than traditional, password-based authentication systems. 

There are different types of biometric authentication systems, which vary both in their biometric modalities and the processes they use for authentication. This means there can be significant discrepancies in the ease of use and level of security among approaches. This blog will look at biometric authentication, how it works, and its uses and benefits in a digital security setting.

What is Biometric Authentication?

Authentication is the means of verifying that a user is, in fact, who they claim to be. There are three main methods used to prove identity, known as "factors" of authentication: 

• Something you know or "knowledge" factors, such as passwords, PINs and security questions. 
• Something you have or "possession" factors, including security keys, devices and one-time passwords (OTPs).
• Something you are or "inherence" factors, which utilize a user's unique physical features, such as fingerprints or facial recognition.

An authentication system can require one or multiple factors for a user to prove their identity. Biometric authentication uses "something you are" factors and performs verification by challenging the user to provide distinctive physical characteristics. 

Biometric authentication systems are used in various physical locations, such as doors, IT server rooms, airport security or any area which requires advanced security. In digital environments, biometric authentication has become a standard security feature on most smart devices, computers and applications running on those devices.

How Biometric Authentication Works

The core of biometric authentication relies on the user's unique physical characteristics. A biometric authentication system records these distinctive details and grants the user access only when the stored parameters for that individual user are matched. 

For example, with a facial recognition biometric authentication system, various facial features of the user are processed and converted to numerical data. Then, when attempting to log in, the system recaptures the user's face, extracting numerical data and comparing it with the stored data held for that user.

Besides facial recognition, types of biometric authentication include:

• Fingerprint scanning
• Palm scanning
• Retina and iris scanning
• Voice recognition
• Breath sensing
• DNA matching
• Vein scanning
• Gait recognition

How this information is processed is a significant differentiator within biometric recognition. In some systems, the user's features get compared against stored records held in a centralized, server-side repository. Another option is for the user's data to be matched locally, such as on their smart device, which then unlocks a password or PIN, or signs a digital certificate, to approve system authentication.

Is Biometric Authentication Secure?

While biometric authentication uses physical characteristics that are unique to a person, this doesn't guarantee they can't be hacked. For example, modern AI algorithms have proven themselves adept at generating fingerprints that can be used to commit fraud, while improvements in deepfake technology can fool facial recognition technology. These remain fringe cases, however, far beyond the capabilities of hackers working through lists of millions of potential victims.

The most significant factor in the security of a biometric authentication system is how the biometric details are stored. Suppose the data is stored in a central database. In that case, there are a couple of major issues, primarily that the database can be breached, giving the hackers access to the biometric data of potentially millions of users. This happened in 2015 when a hack of the government's Office of Personnel Management (OPM) led to the theft of 5.6 million people's fingerprints. Secondly, there is a risk of data being intercepted through man-in-the-middle (MitM) attacks, then subsequently being used for account takeover.

In essence, even though biometric authentication should be many orders of magnitude safer than password-based authentication, requiring the transmission and saving of data creates the same "shared secret" approach that undermines password security. 

Benefits of Biometric Authentication

Biometric authentication has advantages over systems based on other authentication factors, including increased reproduction difficulty and less user friction.  

Increased Difficulty of Reproduction

Common password attacks include brute force and dictionary attacks, where attackers try multiple (potentially thousands of) passwords to gain access to an account. Since biometric authentication uses entirely unique physical features, they are extremely difficult for attackers to replicate.

Reducing User Friction

One of the biggest issues with passwords and even MFA systems, in general, is how frustrated users get with remembering passwords or having to regularly ask for resets when they can't. Unfortunately, this also leads to unsafe practices such as reusing passwords or keeping password lists. With biometric authentication, there's nothing to remember or check; your eyes and fingerprints will always be the same and require only a couple of seconds to input.

Challenges of Biometric Authentication

Though biometric authentication is more difficult for attackers to overcome, there are downsides that enterprises and security firms deploying it must address. 

The Permanence of Data Breaches

The point of biometric authentication is that users will always have those features, and they will change little, if at all, throughout their lives. But, unfortunately, that also means that if there is a data breach of a central repository, those users' fingerprints will forever be compromised.

Demographic Bias

While the algorithms behind biometric authentication aren't inherently biased, the data used to train and perfect them often is. This creates a situation where the system is built on imaging and recognizing a "base" dataset (mostly white and male). It is enough of an issue that the government's National Institute of Science and Technology (NIST) has been investigating the problem. One study found that facial recognition technology "falsely identified African American and Asian faces 10 to 100 times more than Caucasian faces".

Biometric Authentication and FIDO

The FIDO (Fast Identity Online) Alliance is a collective of some of the world's biggest technology and other corporations. They aim to create an open authentication standard (FIDO2) that will improve global cybersecurity by eliminating passwords and improving user experience. 

Biometric authentication devices that are FIDO Certified are recognized to conform to these standards for creating strong, phishing-resistant authentication. Certified components are also interoperable with other FIDO Certified components and protocols.

HYPR and Biometric Authentication

As the only software authentication solution certified by FIDO across all components, HYPR delivers on the advantages of biometric authentication without its downsides. HYPR removes all shared secrets from the authentication process using a combination of biometrics and public key cryptography, . The user’s biometrics and the private cryptographic key are securely stored locally on their device. This system eliminates the risk of a central database being breached or the data being intercepted during transmission.

To learn more about HYPR's phishing-resistant passwordless authentication solution, read the product brief or schedule a free demo.