Passwords? Out. Biometric authentication? In.
Biometric authentication is a cybersecurity process that uses a person’s unique biological characteristics, such as their fingerprint or face, to verify their identity.
“Biometric is linked back to something not about you, but something that you are,” Mike Engle, co-founder and chief strategy officer of 1Kosmos, told IT Brew. He said several sectors, including the government, retail, and the aviation industry, have begun to embrace biometric technology.
Trulioo CTO Hal Lonas told IT Brew that biometric authentication has been “up and coming” for some time now. Commercial use of the technology began to ramp up in the early 2000s.
“It’s really the future, and I think we see it all the time now,” Lonas said.
How it works
One of the most common examples of biometric authentication is fingerprint authentication, which can be found on mobile devices and laptops. Roger A. Grimes, data-drive defense evangelist at KnowBe4, told IT Brew that some fingerprint scanners authenticate users by placing small dots on the ridges of a person’s fingerprint. He compared the imagery to a star constellation.
“That fingerprint will become what’s called a four-point print, five-point print, maybe at most eight-point print,” Grimes said, adding that the scanner would then try to match the respective number of points when a person scans their print.
Grimes said a similar process occurs for facial authentication. While he noted that both authentication methods can provide a sense of convenience to users, he noted that some biometric face and fingerprint scanners are intentionally “detuned” to avoid false negatives and areas of friction for users.
“I’ve had a ton of people email me to say that their toddler walked by their laptop and unlocked their laptop and the toddler looks a little bit like them, but they’re a grown adult and the toddler is a toddler,” Grimes said. “And that happens a lot.”
Pros
IT Brew caught up with three cybersecurity experts to discuss the advantages and disadvantages organizations should consider before leveraging biometric authentication in their workplaces. Engle said that biometric authentication has a large appeal.
“Without a biometric, what do you have? Username and password or something you hold up like a card, which could be held by somebody else,” Engle said.
“It’s easy to just look into a camera. It’s easy to just tap your finger on something,” Engle said. “There’s nothing to remember, nothing to go fetch.”
Grimes said the cost of certain biometric scanners, such as fingerprint readers, has fallen over the years.
“Now it’s really common to have them in laptops and things like that,” Grimes said. He added voice recognition is also accessible as it doesn’t need specialized equipment.
Cons
Biometric authentication has its drawbacks. For one, Grimes said some biometric scanners can result in false positives. “When I joined at KnowBe4, my fingerprint matched somebody else’s in the system,” he said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
In addition, scanners may not be equally effective for everyone.
Grimes also recalled a colleague whose fingerprints were unable to be picked up by scanners. Lonas said this has to do with biases that can be baked into some detection devices.
“There’s many, many other kinds of bias that can be built into these detection systems where they can be trained on one kind of fingerprint or one kind of face,” Lonas said. “There’s racial bias. There’s just all kinds of bias that’s built into these systems.”
Engle said another pitfall with using biometric authentication is its potential for use in surveillance activities.
“There’s ways that a biometric could be used [in a way] that wasn’t its intended purposes and that’s what a lot of laws, GDPR and CCPA and Illinois [Biometric Information Privacy Act],
are trying to prevent,” Engle said.
All three security experts also raised security-related concerns in the unfortunate event that biometric information is compromised, a scenario that has proven itself to be very possible. In 2019, researchers from vpnMentor discovered a data breach impacting Biostar 2, a web-based biometric security smart lock platform, where more than 1 million fingerprint records and facial recognition information were compromised.
“You can’t replace your face with a new one,” Engle said. “So, there’s security and privacy concerns that need to be addressed.”
Ethical practices
Engle said the training associated with deploying biometric authentication largely falls on tech and security vendors. He said the most important thing for employees in organizations that leverage the cybersecurity process is that they are educated on how it is being used.
“If I tell you that I’m going to use your face or finger in a certain way, explain it to you, and tell you how I’m going to protect it, there’s no issue,” Engle said.
Engle said offering employees the option to opt-out of biometric authentication is also “key” when embracing it in the workplace.
“You just have to have other controls in place for them because they’re going to typically fall back to more insecure things,” Engle said. “So, they might have to use two or three other factors to log in or go fetch a code.”