Biometrics in Authentication: Balancing Accuracy and Security
The consumerization of biometrics within smartphones has led to the perception that biometrics are a low-cost, low-friction means of authentication. However, the accuracy and convenience of biometrics vary greatly depending on the type of biometric and the strictness of the settings. While risks such as data storage and breaches may not be a concern for enterprises using third-party vendors to handle biometric data, the blame can ultimately fall on the Chief Information Security Officer (CISO) if the vendor’s data is breached and the enterprise’s authentication data ends up on the Dark Web.
The High Stakes of Biometrics Data
The stakes are high when it comes to biometrics data because once stolen, it cannot be easily changed or refreshed. As Rex Booth, CISO of Sailpoint, points out, if a password is stolen, it can be changed, but if biometrics are stolen, there is no way to refresh fingerprints or grow a new retina. Any relationship with a biometric-dependent system becomes inherently insecure for life. This highlights the critical importance of protecting biometric data and ensuring its security.
However, Roger Grimes, defense evangelist at KnowBe4, emphasizes that biometrics, in general, do not work well and that the perception of their extreme accuracy is a misconception. According to Grimes, none of the algorithms comes close to their claimed accuracy, and there are a lot of false matches.
Voice Recognition Needs Serious Backup
The accuracy versus ease of use is a fundamental issue with biometrics. The least intrusive techniques are often the least accurate, such as voice authentication. Researchers from the University of Waterloo discovered a method to bypass voice authentication systems with a 99% success rate after only six attempts. By identifying markers in deepfake audio that betray its computer-generated nature and removing them, the researchers made the audio indistinguishable from authentic audio. They achieved a 10% success rate within four seconds and more than 40% within 30 seconds when testing against Amazon Connect’s voice authentication system. This highlights the vulnerabilities and limitations of voice authentication as a biometric method.
Face Recognition Edges Out Fingerprints
Mariona Campmany, CMO for authentication firm Veridas, prefers facial recognition and voice biometrics over fingerprints due to a couple of reasons. Fingerprint readers are easily interoperable and susceptible to personal data extraction, lacking the high level of privacy protection provided by facial and voice biometrics. Additionally, capturing fingerprints requires higher resolution cameras or specialized software compared to facial biometrics, making them less accessible and universally applicable.
However, facial recognition has its own set of challenges. It can only analyze a face at a precise distance from the screen, resulting in users needing to make multiple attempts before the system registers them. This friction can lead to frustration and inconvenience for users.
Vein Recognition Is Expensive but Secure
Vein recognition is a biometric approach that is highly secure but comes at a higher cost. According to Ant Allan, VP and analyst at Gartner, vein recognition is popular in the healthcare industry but seen in few other verticals. It requires specialist scanning and infrared imaging equipment, making it two to four times more expensive than fingerprint sensors. However, vein patterns are difficult to fake, making this method highly secure.
Layering Biometrics for Strong Authentication
Despite the varying accuracy and vulnerabilities of different biometric methods, it is important to remember that no authentication method is completely foolproof. Voice authentication is considered the weakest, followed by facial recognition, but all authentication methods have their vulnerabilities. Therefore, the key is to incorporate biometrics into a strong multi-factor authentication (MFA) strategy. As Allan suggests, using a single mode of authentication leaves gaps in security. Layering biometrics with other forms of authentication provides a more robust and secure overall authentication process.
In conclusion, the implementation of biometrics in authentication requires careful consideration of the pros and cons of each method. While biometrics can offer convenience and security, it is essential to understand their limitations and choose the most appropriate methods based on the specific use case. Furthermore, combining biometrics with other authentication factors can enhance security and mitigate vulnerabilities. Ultimately, a well-rounded and layered approach to authentication is crucial in ensuring information security in today’s digital landscape.
Editorial: The New York Times
<< photo by Ethan Wilkinson >>
The image is for illustrative purposes only and does not depict the actual situation.