Biometrics: Why Are They Needed and Top Practical Applications

Companies have used passwords to secure their data and assets for a long time. But password security has grown less effective as processing speeds have accelerated and cryptanalysis methods have improved. Consequently, a more advanced authentication technique is required. Biometrics is one such method. This article delves deep into biometrics, discussing its challenges, applications, and why we need to implement it as a critical authentication method. Read on.

Biometrics is an authentication factor that uses human behavior and physical attributes to identify a user. We can use several physical characteristics, but not all provide the same level of protection for an organization’s resources. Nor are all scanning technologies suited for all business environments.

In this article, we have examined each approach to measuring biometric characteristics, the challenges with each, and the role of biometrics in overall identity management.

Why do we need biometrics?

For decades, organizations relied on passwords to protect information resources. However, the increase in processor speed and improvements in cryptanalysis have made passwords weak protection, as the NIST describes in their password use guidelinesOpens a new window .

The need for something more resulted in the creation of other approaches and divided all associated authentication factors into three types.

Type I – Something you know (passwords, PINs, passphrases, etc.)

Type II – Something you have (token, certificate, one-time password generator, …)

Type III – Something you are (biometrics: fingerprint, vein pattern, iris pattern, …)

Each type has advantages and disadvantages, often resulting in higher than the acceptable risk when protecting highly classified systems and dataOpens a new window , making using two or more factors necessary.

Biometrics is just one factor, a factor that has challenges of its own. Consequently, it is not an authentication silver bullet, often requiring an additional factor, depending on solution characteristics and the risk you are trying to mitigate.

See More: Deepfakes: Can Biometric Authentication Defeat the New Cybersecurity Nightmare?

The Biometrics Challenges

Before looking at specific biometrics solutions, it is essential to understand their common characteristics and challenges, including error rates, effectiveness, advantages, and disadvantages.

Error rates

First, each biometrics solution has three associated error rates, as shown in Figure 1. False rejection rates (FRRs), known as Type I errors, are the rate at which an authentication system fails to verify the identity of an authorized user. A Type II error, the false acceptance rate (FAR), is the rate at which the authentication system incorrectly authenticates unauthorized users. The crossover error rate, or CER, is the point at which the FAR and the FRR are the same.

As we increase the sensitivity of the biometrics sensors, the sensors scan and measure user characteristics, the FRR increases, and the FAR decreases. In other words, as we try harder to prevent unauthorized users from getting authenticated, we frustrate our users, reducing their productivity as we increase the number of times an authorized user fails to authenticate.

The CER varies across the characteristics measured and the available vendor solutions. When selecting a solution, it is crucial to understand the risk associated with the error rates and choose the one that fits the specific application within your organization.

Environment

The placement of sensors is an important consideration. For example, placing fingerprint sensors that require placing a finger on a surface is not a good solution for many manufacturing environments. Ambient oil and other substances find their way to fingers and sensor surfaces, causing error rates to spike.

Further, environmental conditions can affect the characteristics scanned. Abdarahmane Wone et al. documented researchOpens a new window in which they found evidence that features examined under different environmental conditions, other than those present when the person enrolled into the biometrics system, appeared different to scanners. I will cover enrollment later in this article.

Environmental considerations are important and should be discussed with any vendor presenting her solution for review.

User and management acceptance

It is not just picking the wrong solution that can cause your biometrics efforts to circle the drain. Failure is imminent if you lose management support or users simply refuse to use it.

One of the biggest reasons users resist biometrics is their belief that the organization collects and stores information about one or more of their physical characteristics. We must inform our users about how the process works and how it protects their information.

Another challenge involves cultural norms that vary from country to country and between cultures, affecting what individuals view as acceptable. Organizations must understand what resistance there might be to body part scanning and plan authentication efforts accordingly.

Managers begin to join other users in biometrics resistance when the solutions implemented hinder production, caused by multiple attempts to authentication or failure to recognize scans. Properly tuning your error rates, correctly assessing what works and what does not within specific work environments, and providing quick workarounds when biometrics fail all help prevent managers and employees from storming your office in a biometrics revolt.

The Biometrics Processes

There are two basic biometrics processes: enrollment and authentication.

Enrollment

Before an employee uses a biometrics solution for authentication, the organization must enroll him. Figure 2 shows a general enrollment process.

After the administrator creates an Active Directory account for the new hire, she begins the biometrics enrollment process.

1. The new employee uses the relevant scanner or other input device and follows the required process to provide his required physical characteristics.
2. The information entered passes through an algorithm that converts it to a reference template, a value used to compare to future authentication scans.
3. The value is stored in the employee’s Active Directory account. The value stored is usually unique to the biometrics algorithm used, and the actual fingerprint, iris pattern, or other pattern is not actually stored. This does not mean, however, that the theft of the template will not place the victim or the victim’s organization at risk of impersonation.

Authentication

Figure 3 shows that using the reference template for authentication is straightforward.

1. The user scans his characteristic, and the sensor sends the information to the reference template creation algorithm.
2. The new template is sent to the verification algorithm.
3. The verification algorithm retrieves the template stored during enrollment and compares it to the new template.
4. If the two templates statistically match, the user is authenticated.

How biometrics system is attacked

The UK National Cyber Security Center (NCSC) describesOpens a new window different approaches to attacking biometrics.

• Presentation attacks use an artifact, something used to mimic the relevant biometric of a user, to authenticate as an enrolled user.
• Sensor output interception, as it sounds, captures output from the sensor, capturing reference templates and replaying them during an attack.
• Reference and database vulnerabilities enable unauthorized access to reference templates, also allowing replay attacks, supplying an enrolled reference template with malware when required.
• The integrity of enrollment is compromised when a threat actor can enroll for an authorized user with a scan of the threat actor instead. The NCSC’s example describes an enrollment record that contains the biometrics data of two individuals, the authorized user’s right hand and the threat actor’s left hand.
• System attacks include attacks against systems that support the biometrics authentication, allowing access to multiple threat vectors.
• Denial of service attacks can have one of two general benefits to a threat actor. First, the threat actor can simply take down the biometrics system, knowing that a backup system does not exist. Second, suppose a backup system does exist (and one should always exist), and it has known vulnerabilities. In that case, a threat actor can cause a DoS for the biometrics solution and then use the vulnerabilities in the backup system to gain access.
• Insider threats can work alone or in collaboration with outside threat actors to leverage any threat vectors listed or new ones as threat actor creativity allows.

Not all biometrics solutions are susceptible to all of these attack vectors. In any case, the following section provides ways to strengthen each type of biometrics. The key takeaway, however, is that biometrics is not a completely safe authentication factor, with the risk associated with what is used, the quality of the sensors, and the processing algorithms.

Types of Biometrics Authentication Methods

Fingerprint recognition

According to Encyclopedia BritannicaOpens a new window , a fingerprint is the collection of papillary ridges on the ends of the fingers and thumbs that enable us to grasp objects securely. The arrangement of these ridges, as shown in Figure 4, differs between individuals, providing unique identification.

Although there have been some claims that fingerprints are not unique, there is no credible evidence to support these claims. However, it is not difficult to create artifacts for fingerprint solutions that only check for patterns, ignoring checking to see if the patterns are actually part of a living person.

Organizations can strengthen fingerprint recognition efforts by

• Optical spectrum analysis that identifies special characteristics of the skin
• Measuring the capacitance, the conductivity, of what is presented to the scanner helps to ensure that an inanimate artifact is not used
• Measuring the oxygen level of the finger presented also ensures actual human interaction 

Facial recognition

As shown in Figure 5, humans have a set of facial characteristics that organizations can use to authenticate their identities. 2D scanning includes

• Distance between the eyes
• Width of the nose
• Depth of the eye sockets
• Shape of the cheekbones
• Length of the jawline

Facial recognition does not require physical contact with the scanner. Users can often just simply sit in front of a device for facial recognition, requiring no special interaction.

Facial recognition, like fingerprint recognition, can be forged with facial artifacts created by threat actors, artifacts created using photographs or other media. The use of artifacts to bypass recognition is known as a presentation attack.

When evaluating a solution, one of the first things an organization should consider is its ability to defend against presentation attacks, taking steps to ensure the presence of a live human face, not an image, in front of the camera. According to Kevin Bonsor and Ryan Johnson, one approach is to use 3D scanningOpens a new window that looks at additional characteristics, like the curves of the eye socket, nose, and chin. Another is the use of video capture algorithms that detect nodding and blinking.

Hand/finger recognition

Stephen Mayhew writesOpens a new window that hand geometry “is the longest implemented biometric type, debuting in the market in the late 1980s.” However, the hand is not distinctive enough to use as a strong biometrics authentication in most solutions.

Hand scanning devices measure an individual’s hand length, width, thickness, and surface area, capturing images of both the hand’s top and side. 

Iris and Retina Recognition

Eye characteristics are unique, but iris and retina scans are not equally resistant to presentation attacks.

The iris, as shown in Figure 6, is the colored area around the pupil. Each person’s iris is as unique as their fingerprint, and users often do not need to touch a scanner to authenticate. Another advantage is the lack of change over time in the iris patterns. However, iris artifacts can be created, making live-eye detection or a second authentication factor necessary for high-risk situations.

Retina scans are intrusive, requiring the insertion of a harmless beam into the back of the eye to scan the retina’s blood vessels. Figure 7 is an artist’s interpretation of the patterns inside the eye. This intrusion can cause users to refuse to use the scanner. An upside, however, is that it is as yet impractical for a threat actor to rely on an artifact during a retina scanning attack.

Eye scans are fast with low error rates. However, they can be costly for general use across an organization and more suitable for high-risk or quick access needs.

Vein recognition

Vein recognition, also known as vascular biometrics, is very accurate, nearly impossible to fool with artifacts, fast, and with falling costs, making it a good alternative for fingerprint recognition. Using the subcutaneous blood vessels of the human body that create patterns unique for each individual, scanners typically use fingers or hands for authentication. 

Behavior recognition

Although behavior recognition solutions are generally considered relatively weak, they can be used as part of zero-trust access control, providing periodic verification of a user without any pause in their tasks. Keystroke dynamics and voice recognition are two common approaches.

Keystroke dynamics uses a software agent placed on the user’s device. The agent measures overall typing speed, variations in how the user moves between keys, common typing errors, and the length of time keys are depressed. Solutions that continuously assess typing patterns provide authentication verification during the entire time a user is authenticated.

Voice recognition uses users’ voice prints for authentication. Threat actors can easily capture voice samples, patch needed phrases together if needed, and successfully launch a presentation attack.

See More: How Cloud-Based Biometrics Streamline Identity Management

Biometrics comparisons

My descriptions above are general statements about the different biometrics approaches. They, and the comparison information provided in Table 1, are contingent upon emerging technologies and the differences between solution vendors. It is essential to ask the right questions. Know what you are getting.

Final thoughts

Biometrics can be a practical, easy-to-use authentication factor. However, not all environments are suited for every approach. Before selecting a solution, understand the environment in which it will operate, and the daily condition of the physical characteristics scanned, avoiding issues like fingers covered with oil or other substances. You might need more than one solution, each fitted to its operating environment and the risk associated with accessed resources.

One of the biggest challenges you will face is user non-acceptance based on privacy concerns. Management at all levels must understand and support the effort. Users must be trained and understand why something new is entering their work habits and the steps taken to protect their privacy.

One way to get managers and other employees on board is to involve them in the decision-making processes, starting with the review of the risk assessment, through requirements definitions and feasibility studies, to the selection of the final solution (or solutions).

Does your company have a powerful biometric mechanism in place? Let us know on LinkedInOpens a new window , Facebook,Opens a new window and TwitterOpens a new window . We would love to hear from you!

MORE ON BIOMETRICS

• What Is Biometric Authentication? Definition, Benefits, and Tools
• Do Biometrics Protect Your Data or Put Your Identity at Risk?
• How to Use Biometrics to Ensure Security: An Interview with Ned Hayes of SureID
• Biometric Authentication at the Workplace: Risks and Legal Challenge