Ten years ago, biometrics seemed like something out of a science fiction movie. Fast forward to now, and people everywhere are unlocking their phones with their faces. And the appetite for continued use of biometrics is significant — 86% of consumers want to use biometrics to verify their identity. With biometric technology, people no longer have to worry about memorizing lengthy passwords, and the chances of them ever losing their face or fingerprints is next to none.
But as biometrics becomes more and more mainstream, distinctive problems are coming to the fore. People had to wear masks during the pandemic and couldn’t leverage face recognition technologies. Lawmakers are raising ethical concerns related to biometrics. And cybercriminals are learning how to cheat the system by creating silicone fingerprint replicas or using voice mimicry to circumvent biometrics-protected spaces.
New advances have made some biometrics approaches safer and more secure, but these techniques are more costly to implement. So, how do we address these issues moving forward? This piece will explore how biometric authentication is evolving to meet new security, adoption, and ethics demands.
Responding to Existing Security Vulnerabilities
Biometric solutions improve the user experience, but that doesn’t mean much if they aren’t secure. To protect organizations, their employees, and their customers, biometric technology companies are pouring time, money, and effort into research and development 一 particularly in the following areas.
The facial recognition and fingerprint recognition we have today are far better than they were several years ago, but they still have the potential to advance even further. More complex technology (such as 3D scanning) can examine all the details of someone’s face or fingerprint, decreasing the risk of duplication.
The same goes for voice recognition and iris recognition 一 examining the minutiae of those traits can reveal gaps in the fake versions cyberattackers produce. In addition, making detection systems interactive can help; for example, some facial recognition systems require users to blink as part of the authentication process.
One major issue with biometrics is that people know what your face and fingers look like, making them easier to replicate than physical traits you can’t see. Silicone fingerprints and masks have already allowed cybercriminals to slip through the cracks. So biometric technology companies are exploring other unique characteristics like a person’s gait, intraocular vessels, typing patterns, heart rate, and even the shape of their earlobes to reduce the risk of mimicry.
Since not all cybercriminals have the ability to create fake faces or fingerprints, they’ve taken a different tack, attacking the databases that store biometric data. Once that happens, the biometric data that’s been exposed cannot be used for security purposes again.
As a result, companies are constantly brainstorming new ways to secure biometric information, whether it’s scrambling and storing it on separate servers to make it tougher to piece together, storing it on the cloud, or using other more complicated authentication methods.
Cyberattackers are very creative and good at what they do. While we can’t always predict how they will try to circumvent new measures, we can guess. Some biometric technology companies have taken a more offensive approach, testing their new techniques as if they were attackers attempting to bypass biometric authentication.
To offer the greatest protection possible, researchers create and test dupes made out of various materials, try to steal data on the backend, and come up with and test any other scenarios they can think of.
The launch of Face ID for Apple phones was a huge step forward for biometric authentication. Since everyone who purchased an iPhone was required to use facial recognition, people grew to love it, making biometric technology much easier to explain and encourage.
On top of that, the cost to integrate biometric technology into authentication processes and systems is decreasing. Companies are finding ways to streamline biometric solutions, and many machines now come pre-built with biometric capabilities. In fact, researchers estimate that biometric facial recognition hardware will be present in 90% of smartphones by 2024.
As a result, many companies have incorporated biometric authentication into their products. For example:
- In 2018, Microsoft enabled fingerprint and iris recognition on their computers.
- Over the past few years, online banks like JPMorgan Chase and Wells Fargo have implemented facial recognition to access their apps.
- Delta Airlines recently created an end-to-end biometric experience for pre-check travelers to check into their flights, pass through security, and drop off their luggage quickly and efficiently.
As more organizations opt for biometric authentication, others will, too. The numbers are already showing this trend 一 the global biometric system market is forecasted to reach 68.6 billion dollars by 2025.
Addressing Ethical Concerns
While biometric attributes are supposed to be unique identifiers, there can — and have — been flaws in the technology, mainly in terms of bias and privacy. However, companies are actively working to correct biases and abide by new privacy legislation to continue reaping the benefits of biometrics.
In a study of multiple facial recognition algorithms, Black and Asian faces were falsely identified 10 to 100 times more often than white faces and women were more falsely identified than men. Unfortunately, this isn’t the only example of bias infiltrating biometric systems. Humans design the algorithms behind biometric technology, and humans make mistakes.
If uncorrected, biometric bias can disadvantage certain groups of people by limiting their ability to leverage digital services. Plus, poorly designed biometric systems can produce false positives.
Not only does that drastically increase the risk of fraud, but it also has the potential to cause discrimination against users who have experienced false matches. Consequently, companies are inquiring about minimizing demographic bias in their RFPs for new biometric products.
Bias isn’t the only concern with biometric technology — it presents privacy risks to consumers everywhere. Having a database of people’s faces, fingerprints, voices, and other identifiers can have devastating consequences in a cyberattack, exposing highly confidential personal information.
Once those characteristics are leaked, they can never be used for security purposes again. Beyond cyberattacks, biometrics can be used for covert surveillance and tracking by law enforcement or other governmental parties, infringing on people’s privacy rights.
For all these reasons, many U.S. states have enacted privacy laws. For example, in 2019, the Illinois Supreme Court ruled that private companies could no longer collect biometric data from individuals without their consent, including fingerprints, iris scans, and facial scans. Texas, Washington, California, New York, and Arkansas have also instituted new biometric data security laws, and many other states will likely follow suit.
Companies must stay on top of and incorporate these new regulations into their security measures to use biometric authentication ethically.
Continuous Authentication and Zero Trust
As biometric and other passwordless login models have become the norm, security professionals have embraced a “Zero Trust” mindset. Zero Trust security operates on the “trust nothing, verify everything” principle, meaning that users must only work with trusted devices, on specific networks, and use two-factor or multi-factor authentication (2FA or MFA) to access those workspaces.
Biometrics comes into play as part of 2FA or MFA. In addition to entering a code from their phone or email, users will also have to use their face, voice, eyes, fingerprints, or another physical trait to authenticate into a system.
To enforce Zero Trust security, some companies are adopting continuous authentication, where users are authenticated on a rolling basis and locked out when validation criteria are no longer met. For instance, if you leave your laptop untouched for a few minutes, it will lock, and you’ll need to use biometrics and/or other authentication methods to log back into the VPN.
Since biometric technology is constantly improving, incorporating it into continuous authentication and Zero Trust models is only logical. If continuous authentication and Zero Trust are on your security roadmap, consider using JumpCloud.
JumpCloud makes it easy to restrict resource access, devices, and user identities with MFA or 2FA 一 without any on-prem infrastructure. Because identity and access is managed in the cloud, JumpCloud enables users to work securely from anywhere, without the need for lengthy, complicated passwords. Best of all, JumpCloud helps you maintain compliance with ever-changing privacy and compliance regulations like HIPAA, GDPR, PCI, and SOC.
Interested in learning more about how to simplify Zero Trust implementation in your own IT environment? Check out our resource library: Cybersecurity Made Simple.