Biometrics is the measurement and statistical analysis of people's unique physical and behavioral characteristics. The technology is mainly used for identification and access control, or for identifying individuals who are under surveillance. The basic premise of biometric authentication is that every person can be accurately identified by his or her intrinsic physical or behavioral traits.
The term biometrics is derived from the Greek words bio meaning life and metric meaning to measure.
Types of biometrics
The two main types of biometric identifiers depend on either physiological characteristics or behavioral characteristics.
Physiological identifiers relate to the composition of the user being authenticated and include facial recognition, fingerprints, finger geometry (the size and position of fingers), iris recognition, vein recognition, retina scanning, voice recognition and DNA matching.
Behavioral identifiers include the unique ways in which individuals act, including recognition of typing patterns, walking gait and other gestures. Some of these behavioral identifiers can be used to provide continuous authentication instead of a single one-off authentication check.
How biometrics work
Authentication by biometric verification is becoming increasingly common in corporate and public security systems, consumer electronics, and point-of-sale applications. In addition to security, the driving force behind biometric verification has been convenience, as there are no passwords to remember or security tokens to carry. Some biometric methods, such as measuring a person's gait, can operate with no direct contact with the person being authenticated.
Components of biometric devices include:
- A reader or scanning device to record the biometric factor being authenticated
- Software to convert the scanned biometric data into a standardized digital format and to compare match points of the observed data with stored data
- A database to securely store biometric data for comparison
Biometric data may be held in a centralized database, although modern biometric implementations often depend instead on gathering biometric data locally and then cryptographically hashing it, so that authentication or identification can be accomplished without direct access to the biometric data itself.
Security and privacy issues of biometrics
Biometric identifiers depend on the uniqueness of the factor being considered. For example, fingerprints are generally considered to be highly unique to each person. Fingerprint recognition, especially as implemented in Apple's Touch ID for the iPhone, is the first widely used mass market application of a biometric authentication factor.
Other biometric factors, including retina, iris, vein, voice and facial scans, have not been adopted widely so far, in some part because there is less confidence in the uniqueness of the identifiers or because the factors are easier to spoof.
Stability of the biometric factor can also be important to acceptance of the factor. Fingerprints do not change over a lifetime, while facial appearance can change drastically with age, illness or other factors.
The greatest privacy issue of using biometrics is that physical attributes like fingerprints and retinal blood vessel patterns are generally static and cannot be modified. This is in distinction to nonbiometric factors like passwords (something you know) and tokens (something you have), which can be replaced if they are breached or otherwise compromised, including over 20 million individuals whose fingerprints were compromised in the 2014 U.S. Office of Personnel Management data breach.
The increasing ubiquity of high-quality cameras, microphones and fingerprint readers in many of today's mobile devices means biometrics will continue to become a more common method for authenticating users, particularly as Fast ID Online (FIDO) has specified new standards for authentication with biometrics that support two-factor authentication with biometric factors.
While the quality of biometric readers continues to improve, they can still produce false negatives -- when an authorized user is not recognized or authenticated -- and false positives -- when an unauthorized user is recognized and authenticated.
While high-quality cameras and other sensors help enable the use of biometrics, they can also enable attackers. Because people do not shield their faces, ears, hands, voice or gait, attacks are possible simply by capturing biometric data from people without their consent or knowledge.
An early attack on fingerprint biometric authentication is called the gummy bear hack, and it dates back to 2002 when Japanese researchers, using a gelatin-based confection, showed that an attacker can lift a latent fingerprint from a glossy surface; the capacitance of gelatin is similar to that of a human finger, so fingerprint scanners designed to detect capacitance would be fooled by the gelatin transfer.
Other biometrics factors can also be defeated by determined attackers.
In 2015, Jan Krissler, also known as "Starbug," a Chaos Computer Club biometrics researcher, demonstrated a method for extracting enough data from a high-resolution photograph to defeat iris scanning authentication; in 2017, Krissler reported defeating the iris scanner authentication scheme used by the Samsung Galaxy S8 smartphone. Krissler had previously recreated a user's thumbprint from a high-resolution image to demonstrate that Apple's Touch ID fingerprinting authentication scheme was also vulnerable.
After Apple released the iPhone X, it took researchers just two weeks to bypass Apple's Face ID facial recognition using a 3D-printed mask; Face ID can also be defeated by individuals related to the authenticated user, including children or siblings.