James Thew - Fotolia

Get started Bring yourself up to speed with our introductory content.

Biometric authentication terms to know

Consumers are on board with biometric authentication, but enterprises aren't so sure. Here's a breakdown of the must-know terms for companies considering biometric authentication.

Biometric authentication is sometimes predicted to be a replacement for passwords that have long been considered too weak to provide true security. So far, though, biometrics have mostly been used as one part of two- or multifactor authentication as enterprises have been slow to widely adopt biometrics capabilities.

Biometric authentication systems capture data, usually encrypt it, and store it so the system can compare it to the stored data when a user tries to authenticate with that particular characteristic. If the user input and the stored data match, the user will be granted access to whatever they are trying to use.

This form of authentication is, however, spreading -- think of Apple's TouchID and FaceID. It's important to know what biometric authentication actually is and what it includes, as well as some of the problems and controversies that come with it.

Biometric authentication: Biometric authentication is the use of unique biological characteristics to verify the identity of a user trying to access an account, building or device. Characteristics such as retina scans, iris recognition, fingerprint scanning, facial recognition and voice identification can all be used in biometric authentication.

As with all authentication factors, there are risks associated with biometrics, including false positives and compromised data. With passwords, for instance, the user can change them if they are compromised by a threat actor. With biometrics, compromised data cannot be changed and it would be unwise to use that particular biometric factor for any other accounts or devices.

Behavioral biometrics: This type of biometrics deals less with innate physical characteristics and more with human patterns such as keystroke dynamics, gait analysis, voice ID, mouse use, signature analysis and cognitive biometrics. Behavioral biometrics is often used in financial organizations and government facilities, with the United States Department of Defense signing a contract in 2019 to use behavioral biometrics for employee identity and security.

Facial recognition: Facial recognition software maps a person's facial features mathematically and stores the data as a face print. The stored face print is compared to a live capture or digital image of the individual's face. Facial recognition's use for authentication has gained popularity on mobile devices, such as Apple's FaceID.

This type of biometric data has also been the source of some controversy, with Facebook using it to automatically identify individuals in photos and Amazon looking to sell its facial recognition software -- Amazon Rekognition -- to government agencies. Privacy advocates often lobby against facial recognition software as an infringement on privacy rights and civil liberties.

Types of biometric authentication

Retina scan: Not to be confused with an iris scan, a retina scan uses an image of a person's retinal blood vessel pattern as an identifying authentication factor. Retina scans are used for access to military bases, nuclear reactors and other high-security facilities since they are difficult to fake and can only be taken from a living human. Some smartphones claim retina scanning abilities, but they are usually referring to iris scanning.

Iris recognition: Iris recognition is based on a unique pattern within the ring-shaped region surrounding the pupil of the eye. An iris is usually brown, blue, gray or green and has complex patterns that can be seen up close. For iris recognition to work as an authentication factor, one or more detailed images of the eye is taken with a high-resolution digital camera at visible or infrared wavelengths. A matching engine then compares the person's iris pattern with the stored pictures. Iris recognition is used in airports, points of entry or exit in government buildings, and on smartphones.

Fingerprint scanning: Also called fingerscanning, this is the process of electronically obtaining and storing human fingerprints. The details of a human fingerprint -- raised areas called ridges and branches call bifurcations -- make fingerprints a unique identifier and thus a good factor for biometric authentication. Fingerprints are commonly used on devices such as laptops and smartphones, like Apple's iPhones with TouchID enabled.

Voice ID: Sometimes called voice authentication, voice ID uses a voiceprint that focuses on the unique patterns in a person's vocal characteristics that are created by the shape of the person's mouth and throat.

This was last published in June 2019

Dig Deeper on Biometric technology

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What do you think about using biometrics as an authentication factor?
Good basics in this article. There is some additional information for facial recognition that is important to understand, most of which has not been clearly related in or to the press.

Facial recognition is a subset of face biometrics. Within face biometrics is facial recognition and face authentication. While the distinction isn't immediately clear, there is a fundamental difference. Facial recognition is, as stated in the article, a matching technology. Face images initially acquired and stored are then used to match against when the user subsequently requests access to an account or physical location. The problems mentioned occur when an image is stored and used for other purposes, whether intended or not.

However, that's only a problem if there is a false positive and an organization - usually some type of law enforcement or public security firm - uses that image to detain and/or prosecute the wrong person. For, say, marketing tracking purposes, it just adds to the personal information they already have: it's simple today to grab a face image from Facebook or even a simple search. The policies the companies use are more the issue than the biometrics they store. In rare cases, when a high-value person is specifically targeted, a face or fingerprint image could be used to access an individual account.

Importantly, however, face authentication - where the user is also positively identified - the system must also determine if that correct user is actually alive. This "liveness detection" prevents non-human representations - spoof artifacts - like masks, photos and videos, from allowing a bad guy from accessing an account as the correct user.

Liveness detection is not a "response" method of human attribute detection, like nodding, blinking or smiling. They can all be easily spoofed. Liveness detection is a collection of several dozen attributes that add up to an unequivocal determination that the correct user is actually alive. These attributes include a wide variety of human traits that include micromovements, textures and reflections. This is very much like the way humans recognize each other and is accomplished through advance AI software that has been trained over many years and hundreds-of-thousands of authentication sessions.

In addition, images acquired must be converted to binary files, encrypted, and the liveness detection data immediately deleted after the authentication session. This prevents an image - if in fact it can ever be acquired and reconstructed - from ever being used for another authentication session.

Unless *any* of the mentioned biometrics have liveness detection, they are all open to spoofing.
Always good to get context for this business. I'd suggest, though, some of these descriptions and assumptions are already outdated. For example, authentication has meant, essentially, identification. This is not so, and only because there is - now - much more to it. Authentication *must* not only, say, match images, but it must also be certain the user requesting access is actually alive (which can now be done). Artifacts such as fingerprint lifts, photos, videos, masks, 3D mannequin heads and many more can easily fool, or spoof, every one of the systems mentioned. Without liveness detection, it is only a surface-level identification. In this more modern context, and to put a finer point on this, facial recognition as described is NOT authentication.
what raelly make this technology very expensive in less developed countries. in Uganda it take about 1500 dollars to have the system run