Biometric Authentication represented by iris scan image

Biometric Authentication; Is the Future Password-Less?

Passwords and PINs are not nearly as secure as they should be. According to a recent Verizon investigation, 81 percent of hacker-related breaches happen due to lost or weak passwords. Despite this, poor password habits persist (for example, reusing the same password across multiple accounts both at home and work). Weak passwords make it easy to hack into a system, learn a password/username combination, and then use the information to access a multitude of sensitive user data. Couple this with an increase in cloud-based computing and you get an undeniable need for more secure password systems. Is Biometric authentication the solution?

An Increased Need for Password Protection

According to the 2018/2019 World Quality Report, the number one goal of software developers is to improve end-user experience. To meet these demands, many software companies now base their applications in the cloud, a scalable, affordable hosting service that is both fast and functional.

The survey found that 76 percent of all applications are based in the cloud. However, because it is an internet-based server, software hosted in the cloud is vulnerable to attack, especially if passwords are weak or used across multiple applications. This is especially concerning given the frequency of financial and health-related transfers via cloud-based servers.

To improve the authentication process without hindering user flow, many companies now employ the use of biometric authentication systems. Common examples of biometric authentications include the fingerprint readers or facial recognition software such as those found on many popular cell phones. Because biometrics are unique to the user and because devices can quickly scan and confirm (or deny) a user’s identity, biometric data may serve as a natural alternative to passwords. The theory is that biometric information represents passwords that cannot be lost or stolen.

Or can they?

Concerns Regarding Biometric Authentication

Though considerably harder, it is possible to steal biometric data. According to Experian’s 2019 Data Breach Report, hackers are taking advantage of flaws in both biometric hardware and data storage.

However, it’s impossible to modify biometric data  in the event of a breach (unlike passwords and PINs). For example, users can adjust compromised passwords to protect from future data breaches. Conversely, if someone captures fingerprint data, it cannot be swapped out for a new set. In other words, once someone has biometric information, they have it indefinitely.

Note that biometric data collection need not happen directly on the device itself. Once the information is collected and transformed into usable bits of computer-friendly data, it can be stolen just like any other bit of code.

Additionally, surface-level biometrics like facial recognition or fingerprint scanning can change over time or as a result of trauma. To illustrate, a Wall Street Journal article explains how simple changes in appearance – shaving a beard or wearing a different makeup style – blocks access to some biometric-enabled devices.

Adermatoglyphia, or the loss of fingerprints, is another concern regarding biometric security. The condition mostly affects women (primarily seniors) and those who work in manual labor. Though seemingly benign, a lack of fingerprints makes it difficult to register and access devices that depend on biometric fingerprint recognition. Some genetic conditions such as Down syndrome, Turner syndrome, and Klinefelter syndrome may also pose problems with biometric fingerprinting systems.

Solutions to Common Biometric Authentication Concerns

These concerns make it clear that a single biometric authentication tool is not enough to provide the type of data security necessary for cloud-based computing. This does not mean we should dismiss biometric authentication, however. Quite the contrary; biometrics are still the most secure form of identity verification (especially as we make advances in things like vein recognition) and serve as a valuable tool for software security.

To address biometric security concerns, organizations must adhere to biometric software standards that take into account things like data collection, storage, and protection. The FIDO Alliance is spearheading the movement toward a more secure future in biometric technology. They aim to reduce the world’s reliance on standard passwords for more secure biometric technology.

FIDO certification through an accredited third party helps ensure the interoperability of biometric ecosystems, validates product functionality and conformance, and highlights both product and brand integrity. The more widespread FIDO certifications are across the industry, the more secure biometric-enabled devices and services will become.

Additionally, multi-modal biometric systems can help offset singular abnormalities. These systems collect at least two forms of biometric data and pair them up to create one user profile. Examples include systems that scan both fingerprints and hand veins or those that combines facial recognition with iris recognition. These in addition to standard passwords and PINs greatly improve security surrounding identity verification.

Though biometric authentication can be concerning, organizations can proactively improve biometric application security. First and foremost, all biometric technology should be certified as FIDO complaint through a third-party software testing company. Multi-modal and two-factor authentication practices also help secure private data and protect the public from a virtual attack.