Understanding the strengths and weaknesses of biometrics
- Published: Wednesday, 28 March 2018 09:20
Biometrics are fast becoming an integral part of online security but not all biometric options are equal in security strength and usability. Elliot Thompson provides a useful overview of the options that are available.
Until recently, biometric authentication had been discussed on a largely theoretical basis. Today, significant advances have now made it a truly viable and secure alternative to traditional forms of security, offering the opportunity to improve usability of services for its customers.
Biometric authentication uses an individual’s biological data to verify their identity. Unlike the personal identification numbers (PIN) and passwords, biometric data is nearly impossible to guess and is unique to a single person. Biometric systems can be extremely difficult to compromise, making them a favoured choice over other single-factor security methods or a welcome addition to multi-factor authentication for high security and enterprise security.
However, no one method is without limitation and there is still a way to go until biometric authentication methods become affordable and trusted enough for widespread adoption. Let’s take a look at some of the methods being used today and the strengths and weaknesses they bring to the table.
Authentication in your hands
The most established method of biometric authentication is fingerprints. While unique, there are concerns that they are one of the easier biometric parts to duplicate. We leave fingerprints on any surface we touch, and these can be lifted from smooth surfaces such as glass. It would never be advisable to write your password on a wine glass and hand it to a waiter, but if your fingerprint is used as a password, that is precisely what is being done. Another consideration is that, with fingerprint scanning, there are only as many password options as we have fingers.
Despite these weaknesses, fingerprints are far more difficult to guess than a password and their low-cost and high convenience makes them one of the most common authentication methods.
From fingerprint scanning, finger vein or hand vein scanning has naturally evolved. The method scans vascular patterns beneath the skin’s surface, that aren’t left on the surfaces we touch, making them a safer alternative to fingerprints. Despite this, the higher expense of the scanning equipment means finger vein scanning is a less common option.
The eyes have it
Another secure scanning method is iris recognition. Although widespread in movies, iris scanning has seen modest adoption. The security of iris scanners is typically reliable, with a very low chance of false positives as they tend to be very high detail, making duplicate irises hard to create. Even a close-up ‘selfie’ is unlikely to provide the detail required to create a duplicate.
Despite their reliability, though, there are concerns about hygiene issues and accessibility. If scanning equipment is shared and requires users to position their eyes on sockets used by others, it could quickly become unhygienic unless cleaned after each use. To be completely clean may require chemicals that would irritate the eye, such as alcohol. If the shared scanner is static, it may be difficult for people of different heights to use it.
In terms of accessibility, iris scanning may be problematic for people with certain medical conditions. Diabetes, for example, can alter the appearance of the eye over time, which may cause iris recognition issues.
Hello, is it me?
Voice recognition technology is another option that is becoming widely supported. Although the method has become more advanced in recent years, the methods to defeat it have advanced too. The voice is the easiest to duplicate of all the biometric options; even a recording on a good microphone could defeat cheaper systems.
Your face or mine?
Of all biometric methods, facial recognition is the latest to enter the market. While original iterations could be defeated using photos of the appropriate person, modern implementations map the structure and movement of the face to reduce the success of this kind of forgery. While the technology is new, if proven effective it could be a reasonable alternative to some of the other methods mentioned. However, with current attacks and false positives demonstrated against the Apple FaceID system, there is likely to be more advancement required in face recognition.
It’s clear to see that there have been some significant advances made in biometric security. In terms of the level of security it provides, there is still some way to go before most methods are likely to receive widespread adoption. Another barrier to adoption is the level of public discomfort with keeping physical details on record as, thanks to fingerprints, biometrics are commonly associated with identifying criminals.
For circumstances requiring higher security, biometric systems should always be considered as a single factor in a multi-factor system and should be combined with a strong truly secret asset such as a password. But for the average consumer, the ongoing progress in biometric authentication technology could soon secure some methods as standard in guarding against thieves, casual attackers and malicious individuals.
Elliot Thompson is senior security consultant at SureCloud.