In today’s world of security concerns, multifactor authentication plays a large role in proving one’s identity. The requirements of multifactor authentication include verifying what you have (such as a key, document or badge), what you know (like a name, password or secret) and who you are (such as a fingerprint or facial features). Being able to verify who you are is known as biometrics.
Biometric authentication is a security process that relies on unique biological characteristics to verify that individuals are who they say they are. Typically, it’s used to manage access to physical and digital resources, such high-security buildings or offices, airports and computing devices.
Biometrics include physiological measurements – like fingerprints, iris and retina patterns and facial appearance – as well as behavioral measurements, such as the voice recognition, signature dynamics, keystroke dynamics, physical gestures and more. Whereas biometric identification verifies that “you are you” based on your body measurements, biometric authentication goes one step further by entering your information into a database and using it to compare you against other individuals.
Until recently, biometric authentication was generally reserved for situations like right-of-entry to military sites. With the evolution of technology and cybercriminal creativity, however, biometrics are now being integrated into more and more applications in the public domain.
It’s not as modern as you might think
Surprisingly, biometrics are not a 21st century phenomenon – not by a long shot! As far back as prehistoric times, cave artists took ownership of their communication by “signing off” with a finger- or hand-print. In the second century B.C., the Chinese emperor Ts’In authenticated certain seals with a fingerprint. Additionally, William James Herschel, a British officer for the Indian Civil Service in the Bengal region of India in the 1850s, is credited with being the first person to use fingerprints in a practical manner. He had his subcontractors sign contracts with their fingerprints in order to find them more easily if they defaulted.
Even the use of behavioral biometrics goes back a few centuries. In the 1860s, telegraph operators using Morse code recognized each other by the way they would send dash and dot signals. Later, during World War II, allied forces used the same method to identify senders and authenticate messages they received. It took almost a half-century before New York police started using biometrics as an identification tool in 1902 (a year after the practice began in the UK). It wasn’t until 1924 that biometrics were adopted by the FBI.
Today, biometrics are being incorporated into a myriad of applications, from international border security to the unlocking of a smartphone. Because biometric authentication relies on statistical algorithms, however, the analysis of just one biological or behavioral characteristic can’t be 100% reliable. An individual might have a slightly sweaty finger, or have suffered a tiny cut that changes a fingerprint pattern on a scanner. As a result, multimodal biometric – the combination of two biometric credentials – systems are gaining traction. The most widely deployed to-date is the second generation of the electronic passport (ePassport), which incorporates two fingerprints in addition to a passport photo. Some of the most common biometric systems include:
Facial recognition systems approach biometric authentication from several angles. The classic way is to document facial features based on a photographic image. More-advanced techniques incorporate the documentation and measurement of skin texture analysis, facial lines, beauty marks, wrinkles and even 3-dimensional mapping of a person’s face. Unfortunately, facial recognition technologies can sometimes be fooled with makeup, masks or simply obstructing part of the face.
There are three types of fingerprint scanners: optical, capacitive and ultrasound. An optical scanner takes a photo of a finger, identifies the print pattern and then compiles it into an identification code. A capacitive system (currently used in smartphones and laptops) measures the electrical signals sent from a finger that’s in contact with the scanner. “Ridges” in the skin touch the scanner directly, sending electrical current, while the “valleys” in the skin pattern create air gaps. Capacitive scanning maps out these contact points and gaps, creating a fingerprint pattern. Thought to be even more secure, ultrasound scanners work by having a user put their finger to a print-reading chip, and an ultrasonic pulse bounces against it. The chip is coated with a layer of aluminum nitride, which can convert mechanical stress to electric energy or vice versa. When the ultrasonic pulse bounces back off the fingerprint, ridges and valleys return different patterns of stress, which can then be converted into electrical signals. By measuring the bounce from the ultrasound for a longer period of time, the scanner can also sense the depth of the ridges and valleys.
Security researchers consider the eye as one of the most reliable body parts for biometric authentication, since no two people will ever have the same retinal or iris patterns, and because the retina and iris remain almost completely unchanged during a person’s lifetime. A retinal scan highlights the complex blood vessels in a person’s eye using infrared light. Iris scanners rely on high-quality photos or videos of one or both irises of a person. Iris scanners, however, have proven to be easily tricked, simply by using a high-quality photograph of the subject’s eyes or face.
A hand-geometry scanner measures palm thickness, finger length and width, knuckle distance, and more. The advantages of hand scanning include its ease of use, unobtrusiveness and a comparative low cost. However, our hands are not nearly as unique as our fingerprints or irises, so this technique is generally not used in high-security applications.
Speaker recognition technology is either text-dependent, meaning it unlocks after identifying certain words or phrases (as in “Alexa!” for the Amazon Echo) or text-independent, in which it tries to recognize a voice by pitch, inflection, etc., but ignores the worlds actually being said – think voiceprint. Despite its value as a biometric, speaker recognition can be problematic. Not only can background noises distort a person’s voice and make it unrecognizable, even a low-quality smartphone can create an accurate recording of a person’s voice, complete with inflections, tone and accents.
Privacy and Biometrics
One of the biggest red flags regarding facial recognition and biometrics stems from privacy concerns and allowing companies and government agencies access to your most personal asset – your physical being. For years, casinos and advertisers have used facial recognition technology for surveillance, tracking frequent visitors or gathering data. In this regard, biometrics present a double-edged sword – on one hand, you’re almost completely protected, on the other exists privacy issues and data sharing between private companies and government agencies. If you’ve been following tech news recently, you may remember the well-publicized privacy concerns over Apple’s iPhone X facial recognition “feature” being the only way to unlock the phone.
Where Do We Go From Here?
As cybersecurity techniques become more sophisticated, so do the bad guys who work so hard to break through them, creating a technical game of cat and mouse. Biometrics comprise one of today’s most vigorous and advanced cybersecurity tools, with new dimensions continually emerging.
At the end of the day, the reliability of biometric authentication depends on the quality of the acquisition tools and algorithms being used and reliance on a centralized server with an ultra-secure architecture. By staying up-to-speed on new trends and threats, as well as remaining ever-vigilant during seemingly innocent circumstances, such as photo ops and potentially-recorded conversations, individuals and enterprises alike can do their part to make sure biometrics remain the powerful protection they’re designed to be.