Biometrics as a security factor is now indispensable in IT security. Biometric methods for identifying people are considered advanced and particularly secure because they are difficult for cybercriminals to spy on compared to other systems, such as passwords or PINs. Unlike personal characteristics such as passwords, they have the added advantage that the user does not have to remember them. With fingerprint or face recognition, users can log into their accounts simply and easily. This makes biometrics one of the most secure methods of protecting data. Read on to find out exactly what the technology has to offer.
In principle, biometric access systems can be divided into physiology-based and behaviour-based systems. Probably the best-known physiology-based authentication method based on biometrics is the fingerprint – prominently used by Apple. A major advantage of fingerprint scanners is that they are easy to use and are considered to be unique. The way it works is relatively simple: When scanning fingerprints, sensors in a reader use different technologies – such as capacitive, optical, thermal or ultrasonic technology – to capture the lines, swirls, loops and branches of the fingerprint, also known as the minutiae, in seconds. A set of 14 of these minutiae is sufficient to assign a fingerprint beyond any doubt to a specific person.
Access is denied if the values recorded during the check do not match the stored data. Even if someone tries to fool the sensor system with a wax print or a severed finger, this will not succeed with high-quality fingerprint systems. In addition, sensors are integrated into the reader that measure the finger pulse and can thus distinguish between real and fake fingerprints.
Iris or retina scans, part of optical biometrics, work similarly.
Next step: behavioural biometrics
Bypassing biometric systems is considered to be extremely difficult. Nevertheless, cybercriminals have found ways to trick these systems. In one of the best-known methods, social engineering, it is not the system itself that is manipulated but rather the weakest link in the IT security chain: the human being. For example, a fraudster pretends to be a representative of a reputable organisation and persuades the victim on the phone to log into their bank account. Neither multifactor authentication nor biometrics can impede the criminal in this case because consumers authenticate themselves.
In cases such as this, behavioural biometrics can help detect fraud attempts and, in a second step, prevent them. For example, this method can be used to confirm a consumer’s identity throughout the online session. With the help of data-driven insights, corporate IT security professionals can distinguish real from fake user behaviour.
Behavioural biometric systems can recognise and evaluate typing behaviour, mouse movements and swiping movements on a smartphone, as well as the handling of the terminal device. Behavioural biometrics is often used in downstream or continuous authentication methods such as risk-based authentication and adaptive authentication. A big advantage here is that the procedure offers added protection against cyber criminals as another layer of security.
Development opportunities in biometrics
You may be familiar with the American crime drama television series ‘Lie to Me’, in which the main character, Dr Cal Lightman and his colleagues use micro-expressions to expose suspects' lies during criminal investigations. Using body language, the team analyses involuntary movements of the facial muscles and can thus detect suppressed emotions. The series is based on the research of psychologist Paul Ekman, who became famous for his findings in non-verbal communication.
Experts are discussing whether emotion recognition can be used in future authentication systems to confirm a person’s identity based on voice and body language. This approach could certainly be interesting in the fight against deep-fake fraud. It is also very controversial, though – as facial expressions alone are not necessarily sufficient to draw precise conclusions about a person’s emotional state and, therefore, about their identity.
There are also developments in the area of context-aware or adaptive authentication. The background to this is that biometrics can be used to consider the authentication context to a greater extent. In combination with location information, user behaviour or other contextual factors, the security of the access request can be significantly increased without compromising the user experience. In a further step, an AI-supported risk analysis can be used to create a profile of the user to enable more effective and, above all, quicker detection of suspicious activities or unauthorised access attempts, for instance.
CIAM of the future
Biometric authentication methods and their further developments can play an important role in the future of CIAM. They not only improve security but also the user experience – making a valuable contribution to combating identity theft and fraud while providing users with seamless and more convenient access.