User Authentication

What Is Biometric Authentication And How Secure Is It?

Can we really use our fingerprints to secure our most critical applications? And, more importantly, should we?

Article thumbnail image

If you own a smartphone that was released within the last decade, there’s a good chance you’re using biometric authentication (such as using your fingerprint or a face scan) to unlock your device. 

And we can see why. Why spend your time manually typing in passwords and codes when you can unlock your devices in milliseconds by simply…being you?

But while the biometric market value is set to reach 55.42 billion USD by the end of 2027, many organizations are hesitating to adopt the technology to protect critical workplace accounts and applications. And a key question on many security practitioners’ minds is how trustworthy and secure the technology is when it comes to protecting more high-value data. 

After all, when a hacker steals your password, you can change it. But what happens if they steal your fingerprint

So, how secure really are biometric authentication technologies in a more business setting? And should organizations like yours be relying on them to protect your most sensitive accounts and data?

Throughout this article, we’ll take a look at what biometric authentication is, how it works, what the risks of using it are, and what makes it a safe method of authenticating users. 

What Is Biometric Authentication And How Does It Work?

Biometric authentication is a method of identity verification that’s based on measurements of live biological characteristics. 

Gone are the days when fingerprint scanners and facial recognition engines were technologies we’d exclusively see on screen or read about in sci-fi novels—biometric technologies are now a part of everyday life, built into smartphones, laptops, and even cars.

Using biometric authentication, a system can determine whether a user really is who they say they are by scanning the unique ridges of their fingerprints, examining the micropatterns in their typing behaviors, or by analyzing almost any trait a user displays that’s distinctive, repeatable, and measurable.

But while there are a wide range of characteristics that can be measured to authenticate user identities, we can generally split these up into two categories: physiological biometrics and behavioral biometrics.

Physiological And Behavioral Biometrics 

Physiological biometrics are based on a user’s physical characteristics—such as their fingerprints, facial structures, hand geometry, and vein patterns.

Behavioral biometrics, on the other hand, are based on a user’s behavioral characteristics—such as their keystroke rhythm, mouse traction, and the way that they speak or walk. 

While physiological biometrics are more commonly used in popular consumer technology, behavioral biometrics are gradually gaining traction in more high-security industries, such as finance, business, and government.

This is because behavioral biometrics are more difficult to imitate, making them slightly more secure than physiological biometrics. You can find out more in our article on how behavioral biometrics work and what makes them secure.  

How Does Biometric Authentication Work?

Let’s explain this one using a scenario that hopefully we’re all familiar with—passwords. 

When a user signs up to a service using a password, that password is registered in the system’s database. From that point onwards, when logging in the user must enter a password that’s a 100% character-by-character match to the password stored in the database to be granted access to their account—otherwise, they’re denied. 

Biometric authentication works in a similar way. When a user enrolls into a system using biometric authentication, the system captures their biometric “template”, to which each of their future login attempts will be compared. Except, what comes next is where biometric authentication differs from passwords. 

When it comes to biometric characteristics, 100% matches are impossible. Instead, each time a user attempts to log in using their biometric data, the system compares the new measurement with the biometric template registered on file and generates a type of “risk score” for the user in that particular moment.

This score determines the likelihood that they’re the same person as the individual that initially registered. If the user’s score is within a set threshold, they’re granted access. If it isn’t, well, you know how it goes. 

So, you could say that biometric characteristics are like passwords that users wear on their bodies. But they’re passwords that are incredibly difficult to change and impossible to forget. 

How Secure Is Biometric Authentication?

There are several key benefits of implementing biometric authentication, in terms of security. Let’s explore them.

Biometric Authentication Is Based On A Probabilistic System

We mentioned earlier that traditional methods of authentication, like passwords, require a 100% character-by-character match to allow a user access to a given account or application. This is what we call a deterministic method of authenticating users. 

Probabilistic methods, on the other hand, are based on the probability that the user attempting to gain access to a certain device or application is the same person as the user registered on file.

And, while deterministic methods might seem safer (after all, isn’t authentication based on a 100% match safer than authentication based on the probability that you’re letting in the right user?), they can present a major security issue because of how easy they are to imitate.

When it comes to passwords, a system will grant access to anybody that can input the right password, meaning any criminal that can steal or crack a password is granted instant access to an account, no questions asked. There’s a reason that weak passwords are responsible for 77% of all cloud breaches, after all. 

Probabilistic methods of authentication, on the other hand, are actually more secure because they’re focused on authenticating the right users, as opposed to focusing on 100% matches in the data. And it’s also far harder to imitate a living piece of data that’s constantly fluctuating and changing than it is to imitate data that’s fixed and static.

Thresholds Determine Security And Accuracy

The security and accuracy of a biometric authentication solution is greatly influenced by its thresholds.

As we covered earlier, thresholds determine how high or low a user’s security score can fluctuate. And the thresholds can be configured by your admins to suit your organization’s needs. 

For example, the stricter that you set your thresholds, the more secure and accurate your system will be. But this also increases the likelihood of your users being falsely denied access to their own accounts, giving you a higher false rejection rate (FRR). This will also be particularly frustrating for your users, and might lead to them cutting corners with security and seeking easier but less secure practices to gain access to their accounts. 

On the flip side, the more lenient your thresholds are, the less secure and accurate your thresholds will be. And you also slightly increase your chance of the wrong user being falsely authenticated to a given account, giving you a higher false acceptance rate (FAR). But this does provide a better, more frictionless user experience, and reduces the chance of users being falsely denied access.

It’s important that you strike the right balance depending on your particular use case and whether you need a more secure system or a more user-friendly system. 

The System Evolves With Each Login

Biometric authentication systems grow smarter, stronger, and more accurate with each login. So, if a hacker does somehow manage to imitate one of your users’ biometric traits and gain access to an account, the system will evolve so they wouldn’t be able to do so a second time. 

If a hacker gains access to a password-secured account, on the other hand, they can continue to do so until the user realizes and changes their password. In this sense, using biometric authentication limits the damage that an attacker can do by reducing the risk of a repeated breach.

Biometric Data Is Securely Stored

A key part of how biometric authentication works is that each new scan is compared to the data that’s already registered for a particular user. 

And that biometric data is stored as an encrypted numeric value as opposed to raw data. So, even if a criminal did manage to hack into a biometric database, they’d only see encrypted data—which is near impossible to reverse engineer. 

Biometric data can be stored in a number of secure ways:

On-Device

One of the safest ways of storing biometric data is storing it locally on end-user devices like smartphones and laptops. For example, Apple users’ biometric data is encrypted and stored in their device’s Secure Enclave—which is isolated from the device’s server, network, operating system, and applications, and means the data never leaves the device during authentication.

This is particularly secure, because it means data is stored locally as opposed to on a server in a large database.  

Portable Hardware Tokens

Another particularly safe method of storing data is to store it on a portable hardware token—such as a security card, fob, or USB drive. These work similarly to on-device storage, as all biometric information is stored locally, and never leaves the device. 

An advantage of using portable hardware tokens is that they inherently enforce two-factor authentication (2FA), as a user must present something they have (the hardware token) alongside something they are (a biometric scan) to authenticate their identity. A drawback might be that users are required to present the hardware token each time they need to authenticate their identity.

Biometric Database Servers

For corporate use cases, it can be preferable to store biometric data within databases on external cloud-based servers, as opposed to locally. This is because it’s the most cost-effective option, enables admins to grant and revoke permissions, and allows users to authenticate on any device from anywhere, as opposed to being bound to their device or token. 

On the other hand, this method is the most vulnerable to cyberattack, as data is transferred across the network to be verified, leaving it at risk during transmission. This is why data should be encrypted, because if it is compromised, it’s impossible to read without the decryption key. 

Distributed Storage

Distributed data storage essentially provides the best of both worlds, and works by encrypting biometric data, breaking it up, and storing it both externally on servers and locally on devices. 

A key benefit of storing data this way is that a hacker would need to gain access to both the local storage and external server to compromise the data. 

The Risks of Using Biometric Authentication

There’s good and bad in everything—and biometric authentication is no exception. As with all things in life, using biometric data has its risks.

Some risks of using biometric authentication include:

False Matches

While uncommon—false matches are possible, as we mentioned earlier. These might happen when a system falsely recognizes an unknown individual and grants access.

This is even listed as a possibility in the Apple product support pages. However, the probability of a false match while using Face ID is one in a million,  whereas the likelihood of someone cracking a four-digit passcode is far higher, at one in ten thousand.

False Rejections

Fales rejections, on the other hand, might occur when a rightful user is not recognized and falsely denied access to their devices or accounts. 

But this usually is more annoying than it is a serious issue, and can easily be rectified. To combat false denials, we recommend that you enable alternative modes of access via multi-factor authentication, so that genuine users are granted access even if their biometric data is not recognized.

Algorithmic Bias

Algorithmic bias occurs when a system is proven to be more accurate or to operate in a different way when authenticating users of a certain demographic—whether that’s based on sex, race, or age. And several studies have proven this to be the case with biometric technologies—facial recognition technology, in particular. 

For example, a 2020 scientific study found that the lowest biometric performance was seen when using facial recognition technology to authenticate females and younger users, and saw lower classification accuracy for dark-skinned females when compared with other groups. 

These biases are often not an inherent part of a given algorithm, but rather based on the data that trains and informs the algorithm—meaning the country of development comes into play, too. This is evident in that the same study found algorithms developed in Asia could more easily recognize Asian users, while algorithms developed in Europe best identified Caucasian users. 

Biometric Spoofing

While extremely difficult and expensive to pull off, it is possible to replicate and clone fingerprints, faces, and other bodily features. The scary part is that every day we might leave traces of our biometric data—such as fingerprints—lying around in public without knowing it. And biometric spoofing has been proven to be successful on multiple occasions.

For example, in 2020, Cisco’s Talos Intelligence Group successfully cloned and created an artificial fingerprint using 3D printing. And when using the fingerprint to “hack” into various devices, the researchers actually achieved a success rate of 80%. 

Other examples include an Apple Face ID hack by creating a human-like mask,  hackers tricking the Galaxy iris scanner using an artificial eye, and researchers at the University of North Carolina using 3D models and VR technology to trick facial recognition systems.

But we wouldn’t necessarily say that biometric spoofing is something you should worry about. To be pulled off successfully, it takes a long time and requires a high level of knowledge and resource. The Talos Intelligence Group even described the process as incredibly time-consuming and complicated. 

So, unless you’re a particularly high-value target, cybercriminals are far more likely to go after something that’s far easier to crack—like your passwords. So, why would cybercriminals turn to biometric spoofing while passwords are still widely being used?

The Verdict: Are Biometrics Safe To Use?

Overall, yes. The average business shouldn’t feel uneasy or unsafe when verifying user identity using biometric authentication. 

Despite its risks—all technologies come with risks—biometric authentication is still widely considered by experts to be one of the most accurate and secure methods of authenticating user identity because of its high level of accuracy. As well as that, the complexity that comes with attempting to steal and replicate biometric data makes it extremely unlikely for a hacker to attempt. 

But while biometric authentication is highly secure, there are some general recommendations that it’s worth taking into consideration when thinking about implementing it.

Recommendations

While for the average business, biometric authentication is a safe and accurate method of authenticating user identity, we strongly recommend taking a multi-layered approach to authentication as opposed to relying on one method.  

The best way to secure your devices and accounts is by using a strong multi-factor authentication (MFA) solution. MFA works by requiring two or more methods of authentication before allowing a user access to the system. For example, you could pair biometric technologies up with hardware security keys to create a double-layered login process. 

This way, even if a user’s biometric data were somehow compromised, a criminal still wouldn’t be able to access their account without passing the second or third modes of authentication. Think of it as a backup—a failsafe.

But if you do decide you’d like to rely solely on biometrics to protect your organization’s accounts and data as opposed to using an MFA system, then we recommend implementing a multimodal system to do so. 

A multimodal system uses more than one physiological or behavioral characteristic to authenticate users. For example, the system might ask for a facial scan combined with typing speed instead of just looking at one characteristic. 

This essentially provides an extra layer of security and means a hacker would need to impersonate two of their victim’s characteristics to gain access to an account.

Finding the right biometric authentication solution for your organization can be overwhelming and not to mention time-consuming—so let us help you out. We’ve put together a guide to the top solutions on the market, including an analysis of their features, how they work, and who they’re best suited for: The Top Biometric Authentication solutions

Summary

To sum it all up, biometric authentication is one of the most secure ways for you to secure your critical accounts. But—especially when it comes to cybersecurity—it always helps to err on the side of caution. 

So, trust your biometrics, but where possible use them as part of a multimodal or MFA system.