We all have features, characteristics, and attributes beyond our DNA that uniquely distinguish us from one another. These might range from specific physical indicators like a fingerprint or our facial structure to certain behavioral traits like the way we move or the cadence of our voice. The science of measuring and analyzing these features is called biometrics.
Thanks to advances in modern technology, many of us are already quite familiar with biometrics. For example, when you set up a new mobile device, you now often have the option to scan your fingerprint or your face so your device can easily detect that you are authorized to access it. The information collected and stored on your device is biometric data.
There are multiple types of biometric data, which can be used as identifiers: the patterns on your face, eyes, or fingers, the sound waves of your voice, the movements of your fingers on the keyboard, mouse, or tracking pad. And this data can be used to authenticate your identity with an astonishing level of accuracy. But precisely this ability has raised concerns about the collection and analysis of very personal biometric data. Should we be worried?
How does biometric authentication work?
There are several different biometric procedures used for authentication purposes. Here are a few of the most common and familiar ones:
On the basis of a 3D facial map (primarily stored on your mobile device) created using an infrared camera; an image comparison is performed to verify your identity and determine if you are authorized to use the device, application, service, etc. you are attempting to use. Access is granted or denied depending on the success of the authentication process.
On the basis of a 2D front-facing or profile scan, a facial signature is created. This facial scan can be compared against a database of faces to detect matches.
On the basis of a biometric template created by mapping out the unique data points of fingerprint ridges, your fingerprint is compared against a database of fingerprints or your unique fingerprint stored on your mobile device. The latter application works like facial authentication and can be used to provide or deny access to devices, services, etc.
Similar to facial authentication, voice recognition is used for direct authentication (i.e., 1:1 authentication of the voice speaking into a device). This is accomplished by comparing the speaker’s voice against a voice template associated with a unique individual (i.e., not against a database of voice templates). Your device records the sound wave of your voice to create a voice template consisting of your voice’s tones and frequencies. Access to devices, services, etc., can then be granted or denied depending on the success of the authentication process.
User behavior analytics
Based on, e.g., the speed and pattern of the way you move your fingers across the keyboard or trackpad (keystroke dynamics), it is possible to determine if there are any anomalies with previously-stored typing or motion behaviors. Should anomalies be detected, additional verification measures can be initiated.
There are a number of other biometric procedures used for a variety of purposes: identification, verification, authentication. However, it’s important to note that not all data is suitable for biometrics. The data selected for use in biometric procedures is based on five important properties:
- Uniqueness: The data being collected is different for as many people as possible.
- Universality: The data being collected is possessed by everyone.
- Measurability: The data being collected can be easily acquired and measured.
- Consistency: The data being collected does not significantly change over time or in specific situations/under certain circumstances.
- Circumvention: The data being collected can not be easily falsified or manipulated.
Choosing the best possible data ensures the utmost accuracy and applicability when integrating biometric procedures.
Biometric fact vs. fiction
There are some concerns standing in the way of widespread acceptance of biometric procedures. This includes a number of myths about the unreliability, vulnerability, and danger of biometric data and processes. We’d like to unravel some of the most common fictions for you:
|It is easy to fake biometric features.||Though not impossible, faking biometric features is incredibly difficult and rare. This is primarily thanks to techniques like liveness detection, which relies on algorithms that analyze motion and texture to verify that a live person is attempting to access the device, service, etc.|
|If a database is hacked, all biometric data is compromised.||The best practice is to store biometric data never server-side. When using the solutions like TouchID or FaceID, the biometric data is always stored only on a particular security chip (e.g., the “Secure Enclave” on Apple devices) and never leaves the device. In some specific cases as identity proofing, biometric data is stored on servers, but always with the highest possible level of security in a hashed and encrypted format.|
|Biometric data is unreliable.||Biometric data is not only reliable when it comes to authentication, but it is also far more convenient than the password, which needs to be long, complicated, and unique to every service to offer true security. By making passwordless authentication a reality, biometrics adds a whole new level of comfort and facility to security processes.|
|Biometrics don’t age with us.||Many biometric authentication systems (including Apple’s Face ID) include adaptive learning, which ensures that changes to your physiognomy are taken into account to continue improving detection and authentication accuracy over time.|
How is biometrics being used?
Biometrics is being used in a number of industries, from banking to healthcare but also in law enforcement. The latter has indeed created a stigma around the science of biometrics because it is based on a less reliable use of facial recognition: the comparison of photographed 2D faces against an extensive data trove of photos. Resulting false matches have resulted in extensive criticism regarding the accuracy, fairness, and widespread use of the technology.
In industries like healthcare and banking, however, the far more reliable and secure implementations of 1:1 comparison and authentication are used to identify one individual person against the biometric data of that individual person in order to verify the individual’s identity and unlock specific services or provide access to sensitive data. When used for this purpose, biometrics is incredibly reliable, convenient, and secure.
Furthermore, when used with two-factor (2FA) or multi-factor authentication (MFA), biometrics provides a near-impenetrable layer of security. This is especially important as we move towards a future where more services are provided online and on mobile devices. Ensuring the utmost security for our data will require multiple safety mechanisms. Integrating our most unique identifiers into the verification process is one of the best ways to keep our personal information safe.
So, should we be concerned about biometrics? As with all new forms of technology, we should be cautious. However, we should also acknowledge that biometrics is providing us with a level of security and comfort that we currently lack. And it’s much safer than today’s alternatives.