Citi Ventures & Goldman Sachs have joined as additional investors in our record-breaking $543M funding! Read more

What Is Biometric Authentication?

Biometric authentication is the technology that will finally set us free from passwords. You may already be among the millions of people using fingerprint or facial verification to unlock your smartphone, tablet or laptop. That’s biometric authentication in action. 

A biometric scanner built into a device maps a person’s unique biological characteristics to verify the user’s identity. When attempting to login, a customer or employee is authenticated if the newly captured scan matches the stored biometric. I’ll explain how it works in more detail, but first let’s consider why we need biometric authentication. 

What is the advantage of biometrics?

There are two distinct advantages of biometric authentication: 1) smooth and easy user experiences, 2) rock-solid security. Biometric authentication is now being used by companies to give employees and customers easy-to-use and more secure access to their accounts, web or mobile apps, resources or call centers. By removing extra barriers and friction, biometric authentication is transforming how we work, shop, bank, connect and explore our digital world.    

Customers who’ve made the switch to biometric authentication love its speed and ease of use. According to FIDO Alliance, 68% of consumers prefer biometric authentication over traditional two-factor authentication (2FA) methods. We can expect its popularity—and demand—to grow rapidly as more devices are made with built-in biometric scanners. Juniper Research estimates that 1.3 billion devices will have biometric capabilities by 2024.  

3 types of authentication 

Before we go any further, it’s important to understand how authentication has evolved over the years. There are 3 basic types of authentication used to verify identities.

  1. Something You Know – passwords, PINs, answers to knowledge-based questions, code words and even secret handshakes (slick for James Bond, but a bumbling disaster for Inspector Clouseau). This form of authentication is anything you can commit to memory. The weak link? Our ability to forget.
  2. Something You Have – sometimes referred to as device-based authentication, this can be any physical object, such as a security key, smartphone, smart card, USB drive or token. A token device, for example, can create a time-based PIN or compute a response to a security challenge.
  3. Something You Are – any part of the human body that can be used for authentication, such as fingerprints, facial recognition, retina or iris scans, voice verification, palm scanning or even gait characteristics, unique to the way an individual walks. All of these are forms of biometric authentication. 
Factors of authentication: Something You Know, Something You Have, Something You Are

How does biometric authentication work? 

From an end user’s perspective, it’s quite simple. Any device equipped with a fingerprint scanner or facial recognition software can be used to scan, match and validate your identity. During device setup or account registration, the system will capture multiple images of your fingerprint or face at various angles.

After registration, logins are as quick as a touch or a gaze. If biometrics match, the device or account is unlocked instantly. The employee or customer experience is seamless and easy. But under the hood, biometric authentication involves complex computations. Here’s how it works:

  1. Facial authentication
    Facial verification software maps 80 to 90 nodal points of facial features, including the nose, cheekbones, jawline and even the depth of eye sockets. The mathematical analysis of nodal points is turned into a unique numerical code called a faceprint or template, which is used for matching. A well-designed system cannot be fooled by photos because it analyzes facial contour maps in 3D. Apple refers to this as TrueDepth infrared scanning, for example.
  1. Fingerprint authentication
    Authenticating user identities based on fingerprints is equally strong and hacker-proof. Depending on the biometric reader, there can be 30 minutiae (specific points) in a fingerprint scan. The FBI has more than 100 years of empirical evidence that no two individuals have more than eight minutiae in common. This makes fingerprint authentication inherently accurate and secure. 
  1. Voice ID
    Voice authentication (or voice biometry) is able to identify a person based on the tone, pitch, frequencies and other unique characteristics in the voice. This form of biometrics is most commonly used in call centers, however biometric authenticators that rely on fingerprint or facial scans on a mobile device can be used to achieve the same objective over the phone. 
  2. Retina or iris scans
    Retina or iris recognition use infrared light and special cameras to capture detailed patterns within the eye. This pattern is used to create a biometric ID that’s highly accurate. This form of authentication, however, is harder to implement since it requires an infrared light, a camera that can see IR and minimal light pollution.
  3. Other types of biometrics
    Emerging biometric technologies include palm vein recognition and gait recognition, among others. Palm vein scanners can map an individual’s unique vein patterns in the palm by using infrared light. Gait recognition analyzes details in the way someone walks to identify them. These types of biometrics might be considered for verifying employee access to high-security facilities. Neither one would be a viable nor necessary option for customer authentication.

Is biometric authentication secure?

Biometric authentication is vastly more secure than traditional forms of authentication, such as passwords, knowledge-based questions and one-time-passcodes (OTPs). Biometrics are also more secure than token-based authentication, since tokens can easily be lost or stolen. 

The level of security offered by biometrics will vary, depending on the implementation. At Transmit Security, we recommend biometric authentication that’s FIDO2 certified. FIDO (Fast Identity Online) is an industry standard that uses public key cryptography and other protocols to strengthen passwordless authentication across websites and apps. 

FIDO-certified solutions are designed to protect user privacy at every turn. No information can be used to track a user across services, and encrypted biometric data remains a true secret, never leaving the end user’s device. Since FIDO is a decentralized model, the user’s biometric is verified locally against itself.  This means there’s no central database storing biometric data that hackers can target. 

FIDO2, the newest set of protocols, utilizes the WebAuthn specification and Client-to-Authenticator Protocol (CTAP) to drive widespread adoption across more websites, browsers, apps and devices. 

And since each device is assigned a unique, encrypted set of keys relating to a specific account, FIDO2 minimizes or eliminates the risk of phishing, stolen credentials and account takeovers. 

Biometric recognition vs. biometric verification

In an ongoing privacy debate, some people worry biometrics could be used by authoritarian leaders or deep state actors to monitor private citizens. This is why it’s important to understand how biometric recognition differs from biometric verification (aka device biometrics). Unlike biometric recognition (walking past a security camera that can immediately identify “you”), biometric verification uses fully anonymous methods to simply validate an expected credential. There is no information in this data match that can be linked to an identity. 

Use cases of biometric authentication

The pandemic has accelerated all digital activity—from online banking and electronic payments to ecommerce, telemedicine and telecommuting. Organizations are transforming their identity verification processes to incorporate fingerprint and facial verification as a key security feature. With the explosive growth of built-in biometric scanners and the demand for better user experiences, it is easier than ever to implement biometrics across both web and native applications. 

Abandon passwords completely

Passwords are on their way to complete irrelevance. The SolarWinds hack, the largest security breach in history, originated with the guessable password: SolarWinds123. Training employees (and interns) to strengthen passwords clearly isn’t working. We’ve tried using one-time passcodes (OTPs), security questions and other forms of multi-factor authentication (MFA). But basic MFA is still vulnerable to man-in-the-middle attacks, device impersonation, replay attacks and other threats.

Customers want ease

Another reason to get rid of passwords: the identity experience is painful, and it’s hurting your business. With so many accounts, passwords are hard to remember. According to MasterCard, online retailers lose a third of all sales at checkout as a result of failed logins. Forgotten credentials also increase customer service costs since up to 40% of support calls are password resets, according to Gartner. 

Biometric authentication on the rise in 2021

According to Visa, 86% of consumers are interested in using biometrics. Soon every smartphone, tablet, laptop and desktop will be equipped with robust biometrics that make authentication easier and more broadly accepted. We now have the biometric IT ecosystem to empower users with secure and easy access to all of their accounts.

Customers prefer an identity experience that’s consistent and effortless. See why end users and companies love our FIDO2-certified biometric authentication: BindID