How does biometric authentication work?

Biometric authentication is a security process that compares a person’s characteristics to a stored set of biometric data to grant access to buildings, applications, systems and more.

For many of us, biometric authentication has become a part of everyday life. From unlocking your phone to checking in and out of the office, biometric authentication solutions are being rolled out across a wide range of everyday applications.

With cybercrime, fraud and identity theft on the rise, it’s more important than ever for businesses to help customers and employees verify their identity, and biometric authentication has become one of the most trustworthy methods.

Of course, authentication is not a new concept. For many years, we have been required to authenticate that we are who we say we are, most typically through the use of a password. With a focus on security, businesses are now turning to more secure methods of verifying someone’s identity before granting them access to a system, network or building.

Traditional Authentication Methods

While biometric authentication is becoming more mainstream, the cost of implementing a full rollout can be prohibitive for businesses, especially those with large workforces. Therefore, traditional authentication methods are still used by most businesses worldwide.

Biometric authentication offers an additional layer of security and many businesses are adopting additional authentication processes to ensure greater security, especially when it comes to accessing a company’s network. Two-factor authentication (2FA) or multi-factor authentication (MFA) is now commonplace in businesses around the world, adding an extra security layer to existing systems which typically rely on a password.

Here are some examples of the most common authentication methods used for network security:

Password-based authentication

By far the most popular method of authentication is the username and password combination. Users are provided with a unique identifier when they start at a company (username) and then they are required to set up a unique password associated with that account.

A big problem from a security perspective is that individuals are often responsible for setting that password and these can often lead to points of vulnerability on the network. To overcome this, companies have started to enforce specific criteria for the password (length, special characters etc) which helps to improve the overall security of passwords on the system.

Password management is time-consuming for network administrators due to forgotten passwords as well as the increase in working from home meaning access to the network is often required from multiple IP addresses.

Token-based authentication

A popular form of MFA or 2FA, token-based authentication relies on an additional layer of security in the form of a token which can include a dongle, card, key fob or RFID chip. More typically today, token-based authentication is completed using an app installed on your mobile device or even on your desktop or laptop.

The additional layer of security offered by token-based authentication means that a user needs to have the account credentials (username and password) plus the tangible token itself which is much harder for cybercriminals to access and hack.

Knowledge-based authentication

One of the earliest forms of 2FA, knowledge-based authentication relies on the user providing their account credentials as well as being able to answer a specific question or set of questions in order to access their account. We will all be familiar with questions like, ‘What is your mother’s maiden name?’ and ‘What was the name of your first pet?’ and these do add a layer of security to the authentication process, however, they are still susceptible to cyber criminals who can hack systems and discover the answers to these questions, allowing them to impersonate the individual.

Out-of-band authentication

Out-of-band authentication is a term for a process where authentication requires two different signals from two different networks or channels. SMS-based out-of-band authentication is among the most popular methods in this category. With this type of authentication, a one-time security text or password is sent by SMS (text message) to the user.

While this out-of-band technique is more secure than simple password authentication it is no longer recommended by NIST because of several vulnerabilities, including being susceptible to man-in-the-middle and snooping attacks.

What is biometric authentication?

Unlike other security authentication measures such as passwords, keys and RFID badges, owners cannot lose biometric markers and they cannot be easily replicated or stolen by hackers. No security measure is completely safe from hackers, but biometrics offer a layer of security within a network that is very difficult for hackers to exploit and one that is often convenient for the end user.

Biometrics have been used as a security solution since the mid-2000s when biometric authentication was seen as the future of digital security. Once thought of as something from the world of sci-fi movies, fingerprint scanning, iris scanning, and facial recognition became valid identification solutions with real-world applications.

Today, the list of biometric authentication methods has grown and while some are still in their infancy, these biometric authentication methods are being explored as real-world solutions:

• Facial Recognition
• Fingerprint Recognition
• Iris Recognition
• Voice Recognition
• Retinal Scanning
• Palm Recognition
• In-Ear Acoustics
• Behavioural Biometrics
• Finger Vein Recognition

As we discussed in a recent post, What is the future of biometric identification technology, the COVID-19 pandemic has accelerated the development of many of these biometric authentication technologies and we can expect to see a much wider rollout over the next few years.

Biometric authentication is also widely used in network security, providing an additional layer of security for network managers.

Are biometrics secure?

One of the biggest barriers to adoption has been security concerns around the storage of biometric data. However, much of this concern is misplaced. While the storage of your biometric data is obviously important, there are many misconceptions about what a biometric actually “is” and what can be done with it.

Take facial recognition as an example:

• When you create a facial recognition template from a face, whether this is in real-time, in person or using a photograph, the biometric is not the image or the photo and it is NOT the facial image or photo that is stored.
• What is created (i.e. the “biometric”) is actually a proprietary, mathematical interpretation of the subject’s face and any original picture or video is discarded and is not stored. This mathematical interpretation is called the facial “template”. This facial template is proprietary to the facial recognition solution provider.
• It is impossible to interpret or even read this template without the vendor’s secret, proprietary algorithm to decode it.
• Lastly, even when the template is decoded using this secret algorithm, this does not and never can recreate the face used to create the template to begin with. Recreating the original face or photograph from the facial template is simply impossible. It is akin to recreating a complete motor vehicle from a tyre tread mark left on the road.

So, the fear that once a person’s biometric is compromised, that the hacker can recreate the person’s original face, fingerprint or whatever the biometric happens to be, is simply misplaced. Without the vendor’s secret, proprietary algorithm to decode it, your biometric is useless to a hacker and is still secure. Far more secure than passwords and the like that are either stored in clear text or can be easily decrypted with brute force attacks. Neither of these is possible with a properly created biometric.

Biometric authentication is therefore one of the most secure ways possible to prove that a person is who they say they are.

Biometric data is helping to make the world more secure and convenient. Following common-sense guidelines like these will help not only protect your privacy but help the wider rollout of biometric authentication.  You can read more about biometric authentication in our post Which biometric authentication method is most secure.