With multi-factor authentication (MFA), there are three types of authentication factors: something you know (knowledge), something you have (possession), and something you are (inherence).
Biometric authentication falls into the third category—inherence. Biometrics are a category of authentication methods that utilize unique biological characteristics (physical attributes or behavioral characteristics) to verify a user’s identity.
Biometric authentication can be broken down into static and dynamic methods. In the static category, there are fingerprint, facial, iris, and retina scans, as well as hand geometry. In the dynamic group, there are methods that focus on behavioral patterns, such as voice and/or speech patterns, typing rhythm, body resonance, and the old-fashioned signature.
The most accepted and widely used biometric method is fingerprint authentication, so it will be the primary focus of this post.
How Fingerprint Authentication Works
When your fingerprint is scanned, it is automatically compared to a stored fingerprint template in order to validate your identity.
Here’s how it works: You press or swipe an enrolled fingerprint on a sensor. The MFA solution identifies your fingerprint and compares it with three or more fingerprint templates that are encrypted and stored on a server.
To protect your privacy, your fingerprint image is not captured or stored; instead, a template is used. Then, depending on your company’s policy, you enter an associated PIN or password. Once your identity is verified, you are given access to the operating system or application.
First of all, biometrics are inherent, meaning they are based on unique characteristics that we all have at birth. In fact, in over 140 years of fingerprint comparison, no two fingerprints have ever been found, even between identical twins.
Because biometrics are always with you, unlike passwords or USB tokens, they can’t be forgotten or misplaced. Devices with built-in readers, such as laptops or smartphones, allow the user to gain access with a quick scan of their fingertip, without having to remember anything or to carry a token or device.
This convenience factor has made biometric authentication methods, such as fingerprint scans, popular with users and is driving consumers to push for the widespread adoption of biometric authentication.
Built Into Many Devices
As the most mature biometric authentication method, fingerprint authentication is already widely in use and is built into many smartphones and mobile devices.
Difficult to Steal
Biometrics are difficult to steal, because unlike other authentication methods, such as passwords, they require close proximity or some kind of physical interaction with the victim, like lifting a fingerprint from something a person has recently touched.
Can’t Be Replaced
If a password gets compromised, you can always change it. If a token is lost, you can replace it. But if your fingerprint is compromised, it is compromised for life. You can’t reset or replace your fingerprint.
This is not just a theoretical possibility. In fact, when hackers broke into the Office of Personnel Management a few years ago, they stole 5.6 million fingerprints of people who had been subject to a background check.
Can Be Faked/Tricked
In addition, it is possible to fake biometrics or to trick biometric readers. Research by IEEE found five master fingerprints can open close to two-thirds of devices. White-hat hackers have demonstrated that they can lift a fingerprint, place it on a plastic laminate, and cast a finger to fit the mold.
Other biometrics can be scammed as well. Researchers successfully tricked the iris scanner on the Samsung Galaxy S8 smartphone using an image and a contact lens to create a dummy eye. And facial recognition software has been thwarted in a number of ways, including using sunglasses, a mask, makeup, LED lights, and/or reflective clothing.
Can’t Be Remotely Revoked
With biometrics, you have to be physically near the device to change its data set. If a password-protected account is hacked, you can remotely reset your password. But if a hacker lifts a copy of your fingerprint off of your phone and uses it to get into your phone or other device, there’s no way to remotely revoke that fingerprint.
Less Mature Form of Authentication
Many types of biometric authentication are still not in wide use. Developers are still working to perfect the technology in many cases, and with some methods, there are still problems with misidentification.
Depending on the application, biometric authentication can be costly and time-consuming. Equipment must be purchased, software installed, and users have to get scanned.
Should You Adopt Biometric Authentication?
Biometric authentication has widely increased in use and methods in recent years as demand for convenient authentication increases. With fingerprint scanners built into many devices and other biometric methods coming into wider use, it’s doubtful that this trend will slow down anytime soon.
The bottom line is biometrics shouldn’t be used as a stand-alone form of authentication. However, when combined with other authentication factors as a second or third authentication factor, biometrics can be leveraged as part of secure, two-factor or multi-factor authentication.
For example, a fingerprint combined with a PIN provides maximum security. This approach overcomes many of the security drawbacks, while still providing a convenient user experience.