The need for secure, reliable access to data has never been more pressing than it is today. What’s a more convenient and highly assured way to identify people over traditional authentication methods such as usernames or passwords?
Biometrics, of course.
Also known as inherence factors, i.e., something you inherently are, biometric identifiers are impossible to lose or forget and highly challenging to hack or steal. Because of these characteristics, biometric authentication has a bright future in identity security.
There are various types of biometrics we will cover in this article, each with their own unique advantages and disadvantages, and different ways to approach biometric security. But first, what is the False Rejection Rate versus False Acceptance Rate and why does this matter for biometrics?
False Rejection Rate (FRR) and False Acceptance Rate (FAR)
When a person is enrolled in a biometric system, their unique physical or behavioral characteristics are registered and stored in a database. When they attempt to log in to the system, their characteristics are again scanned and matched against those in the database. If there is a match, they’re allowed access to the system.
Despite the convenience of biometrics, it is possible to spoof or fool biometric sensors, either deliberately or inadvertently. This is why it’s important to understand a biometric system’s False Rejection Rate (FRR) and False Acceptance Rate (FAR).
A False Rejection Rate is the percentage of times that the system rejects an authorized user. A False Acceptance Rate is the percentage of times that the system accepts an unauthorized user.
To reduce the number of FAR incidents, security systems can be tightened, but this often leads to an increase in FRR. Where these two intersect is the Equal Error Rate or ERR. The lower your organization’s ERR for biometric authentication, the more accurate your system is.
Evaluating Common Forms of Biometrics
As with most things in life, there are pros and cons to each of the different types of biometrics, detailed below.
The most established type of biometric system is fingerprint recognition. Fingerprints have been used as a form of identification for decades, even before the advent of advanced technology, since they are unique to each individual and easy to capture both physically and digitally.
Fingerprint scanning is one of the most widespread types of biometric identification. It’s relatively affordable and easy to use, and has expanded beyond law enforcement, government, and enterprise use to become a staple of personal devices. Many smartphone devices and laptops come with fingerprint scanning capabilities, which provide users with a simple means of secure access.
However, the scaling up of fingerprint scanner technology has not been without growing pains. A study by Cisco Talos explored several methods of spoofing phone and computer fingerprint scanners, and reported an 80% success rate. Although their methods would be immensely difficult to replicate outside of the lab, the study demonstrates that it is in fact possible to forge fingerprints and fool today’s most common type of biometric authentication.
An additional disadvantage of fingerprint recognition is that fingerprints can be smudged or damaged by events such as serious burns, which makes them less reliable than some other types of biometrics. Fingerprint scanners are also subject to environmental conditions, such as moisture, which can increase the FRR.
Facial recognition is another widespread type of biometric system, as most of us are familiar with FaceID on Apple or Android phones. It uses facial characteristics, such as the shape of the eyes, nose, and ears, to identify individuals.
Airports and other security agencies often use facial recognition systems to match passengers against a list of known criminals or terrorists. The systems are relatively accurate and fast, and can be used with both photographs and live video footage. Unfortunately, there is also demonstrated bias in the algorithms that leads to both an increased FRR and FAR for women and people of color.
Additionally, masks, sunglasses, or bad lighting can fool some facial recognition technology. This is being addressed through the development of 3D facial recognition systems, which rely on sensors to capture facial features in greater detail.
Sometimes known as retinal scanning, iris recognition uses the patterns of the iris to identify individuals. These patterns are unique to everyone and aren’t affected by changes in lighting or exposure.
However, iris recognition systems can fail when contact lenses are involved, and they may not work well in low light conditions. They’re also more expensive than some other types of biometrics.
Another concern with iris recognition is user acceptance. Many people find the process unpleasant and invasive because you have to adopt a specific position while having your iris scanned, which can cause discomfort.
Voice recognition is a biometric system that uses the sound of someone’s voice and a specific phrase or vocal pattern to identify them. This system is often used for authentication purposes, such as when logging into a computer or unlocking a phone. It can be a cost-effective way to implement biometric authentication as microphones are already widespread in most personal devices.
Voice recognition is fairly accurate, but the FRR can increase when factors such as background noise or a bad cold are involved. It’s also not always easy to get a clear recording of someone’s voice, and often requires multiple attempts. If you have ever yelled at Apple’s Siri or Amazon’s Alexa, you understand the frustration this can cause for users.
Vein recognition is a biometric system that uses the patterns of veins in someone’s hand to identify them. This technique looks at the veins beneath the skin’s surface and builds a map for future comparison. This system is often used in high-security facilities, as vein patterns are difficult to fake.
Vein scanning is considered one of the most secure and consistently accurate options for biometric authentication, especially when compared to fingerprint and facial recognition. However, the trade-off for an extremely high level of security and assurance is considerably higher implementation costs.
Gait recognition is a biometric system that uses the shape of someone’s body and the way it moves when walking or running to identify them. This type of biometric factor is discreet and unobtrusive, and it can also quickly identify people from afar.
These systems are great for mass crowd surveillance, but not necessarily for authentication purposes. Gait recognition can have a much higher error rate than other forms of biometric identification, as it can be impacted by clothing and deliberate deceptive measures.
Which Form of Biometric Identification Is the Most Secure?
As much as we would like there to be an obvious answer to this question, the reality is that no form of biometric identification method is foolproof. Iris and vein patterns are arguably the most challenging biometrics to replicate, which makes them extremely secure — but the high cost barrier for implementation makes these types of technologies inaccessible to most organizations.
If you’re an IT professional exploring the possibilities of biometric authentication, security is not the only consideration when choosing a biometric system. You’ll also need to consider cost, convenience, and other trade-offs when making a decision. What works for one organization’s IT environment may not work for another.
Fingerprint, facial, and voice recognition can be more appealing options for small to medium-sized enterprises (SMEs) because of the low cost barriers involved. The technology employees would need to leverage these types of authentication is already at their fingertips in the form of smartphones and laptops.
And, the potential risks of these “less secure” methods can be mitigated by layering biometrics onto a Zero Trust architecture or multi-factor authentication (MFA), also known as two-factor authentication (2FA).
2FA is a security process that requires two different forms of identification from the user to log in. Biometric 2FA uses biometric identification as one factor and either a password or another security token as the second factor. This combination is much more secure than using a password alone. In fact, many experts believe that biometric 2FA is the most secure form of authentication available today.
Ultimately, the most secure form of biometric identification will depend on the specific application and the environment in which it’s used. Interested in potentially implementing biometric authentication in your organization? Learn more about How to Keep Biometric Information Secure.