What Are Biometrics? The Pros/Cons of Biometric Security

Biometrics are measurable human traits, characteristics, or behaviors that can be used to verify a person's identity. For example, a person's face or fingerprints are unique to them and can be measured. So they're often used to identify a person in law enforcement applications.

Biometrics have been used for identity verification since 1883 when French criminologist Alphonse Bertillon first used body measurements to identify repeat offenders. Today, biometric authentication is growing in popularity for enterprises because biometrics are an effective way to control access to sensitive information, devices, or physical locations.

However, biometrics aren't impenetrable and come with increased privacy risks. So any organization seeking to utilize biometrics to verify employees or end users should pay close attention to how they implement biometric identification systems.

Below is what executives need to know about using biometrics for their organization.

How Biometrics Work

At the most basic level, you need two things to verify an individual's identity with a biometric identifier: a way to collect or measure the desired characteristic and a record of that characteristic to compare your measurement to.

However, to automate the biometric authentication process, modern biometric systems typically require three steps:

1. A physical measurement device that reads or scans the biometric characteristic you're using to authenticate a person
2. Software that translates a biometric scan into a digital format and compares it to the record of that biometric characteristic
3. A stored record of that biometric characteristic that the software can compare the new scan to in order to verify a person

Centralized vs. Decentralized Biometric Data Storage (and Why It Matters)

Biometric data is typically stored either on a central server or the authentication device itself — with the former being a controversial method for doing so.

Storing biometric data on a server like you would a password means that if the database is breached, your users' biometric data is breached. And since you can't reset biometric data like you would a password, it means your users' biometric data is compromised for the rest of their life.

Device-level storage keeps biometric data distributed, which eliminates the risk of large quantities of biometric data being exposed all at once (better protection for users and organizations).

Types of Biometrics

While just about any part of a person's body can be measured, not every biometric characteristic can or should be used to verify an individual's identity. Some traits inherently carry a greater degree of uniqueness than others, and some traits are hard to measure due to technical constraints (the technology doesn't exist yet, or the trait is hard to measure).

Below are the most common types of biometric characteristics in use today:

• Fingerprint Biometrics. The patterns found on a person's fingers are unique to them and are already used to verify smartphone users.
• Behavioral Biometrics. Behavioral biometrics use patterns in an individual's behavior, such as keystroke patterns and computer mouse movements or other behavioral characteristics like a user's physical location, to identify them.
• Ear Biometrics. A person's ear has a unique shape, and research shows ear recognition could be more accurate than fingerprint recognition.
• Voice Biometrics. A person’s voice is unique to them. Voice recognition systems are 90% accurate on average.
• Facial Recognition Biometrics. Research shows that an individual's face is unique when measured in sufficient detail and therefore is effective for accurately identifying them. Face recognition algorithms are far from perfect (studies show the technology is less effective in identifying darker-skinned individuals). However, companies are taking steps to improve their accuracy with artificial intelligence (AI).
• Hand Geometry Biometrics. Hand geometry is unique from person to person and has been used to identify a person since the 1960s. Although hand geometry is unique, using it to identify an individual does carry some important limitations, according to the Infosec Institute.
• Gait Biometrics. Gait analysis measures the way a person walks to identify them. Gait recognition is still a new technology, but researchers have already developed systems for smartphones that could be used to implement it.
• Retina Biometrics. Retina biometrics use the unique pattern on a person's retina to identify them. Research shows that retinal scans are very accurate.
• Iris Biometrics. Iris biometrics are similar to retina biometrics, except they use the unique pattern of a person's iris instead of the retina. Research by the National Institute of Standards and Technology (NIST) shows that iris scans are 90-99% accurate.
• Vein Recognition Biometrics. Vein recognition is also known as vascular biometrics and uses subdermal vein patterns to identify a person. Vein recognition is the most accurate biometric technology in use today. However, researchers have cracked vein recognition in the past using a wax hand. So although it's effective at distinguishing between individuals, it's susceptible to attack.
• DNA Biometrics. 99.9% of the average person's DNA is identical to every other person on Earth. However, the 0.1% that's different is enough to identify a person with a high degree of accuracy.

The Pros and Cons of Biometrics for Cybersecurity

Biometrics promise organizations improved security and better experiences for users. But they also create new risks that organizations need to account for if they choose to use them to verify employees or end users.

Pros

Biometrics are an effective way to verify users because biometric traits are harder to fake, replicate or transfer than traditional username/password (U/P) authentication.

Research also shows that consumers prefer biometric authentication to U/P authentication because it's easier for them to authenticate themselves — they just scan their finger, and they're in. This benefits organizations because a positive user experience can also reduce security risks and offer a competitive advantage.

Finally, biometric data often saves companies money because it uses less server space than traditional authentication measures and eliminates the need to reset a password.Auth0 customers report costs of up to $120 per password reset.

Cons

Biometric identification systems can be costly to implement if a company is installing everything from scratch. For example, although some biometric technologies like fingerprint scanners are now fairly cheap to purchase, the more accurate and reliable technologies are often quite expensive. One way to substantially bring down these costs is to use scanners within existing devices, such as mobile phones, as the authentication mechanism.

And although biometrics do reduce many security risks, cybercriminals have still found ways to crack biometric authentication systems, as well as breach the databases biometric data is stored on.

Biometrics are also a challenge to store securely because the hashing process used to protect passwords doesn't work with biometric data. So any organization that utilizes biometrics to verify their users has to ensure that any biometric data they store centrally is adequately encrypted or they'll put their users at risk.

Common Examples of Biometrics in Use Today

Biometrics are most commonly used in smartphones, tablets, and laptops. For example, both Apple and Samsung use fingerprint and facial recognition to unlock their devices.

However, enterprises, government agencies, and even law enforcement are also using a variety of biometric identifiers for access control or to verify an individual's identity.

• Financial Services. Behavioral biometrics are used in financial and banking industries to prevent fraud and identity theft.
• Law Enforcement. Law enforcement agencies use fingerprints, palm prints, and DNA to verify the identity of criminals.
• Immigration and Customs. Many countries use biometrics to document foreign residents and issue visas. For example, the United States Department of Homeland Security uses fingerprints and facial recognition to verify an individual when they enter the country, as well as issue a green card to foreign residents.
• Healthcare and Medicine. Biometrics are currently used to identify patients in hospitals and retrieve medical records.
• Customer Service. Voice biometrics are used to authenticate users when they call a customer service center.

The Future of Biometrics

The total market value of the biometrics industry is expected to grow 87% in the next five years as more organizations adopt biometric authentication to secure data, devices, and applications. As that occurs, there are several trends emerging that organizations should pay attention to:

• Continuous improvement of biometric security is a must. Bad actors are finding new ways to circumvent biometric authentication systems. So reducing security risks to biometric data is a continuous effort, not a one-and-done event.
• Using biometrics in continuous authentication applications will gain more traction. Continuous authentication happens on a rolling basis while a person uses your systems, rather than once at the beginning. Many experts expect biometrics to be widely incorporated into continuous authentication systems as they become available in the near future.
• Regulations around biometric data are tightening. Biometrics are still a relatively new technology. But given the privacy concerns associated with biometric data, regulators are beginning to tighten restrictions around how biometric data is collected, used, and stored.

For more information on each of these trends, see our article on biometric authentication. Learn more about implementing biometric authentication with Auth0 here.