IT security teams are never in a fair fight: They must defend all possible entry points, while an attacker only needs to find and exploit one weakness or vulnerability to breach a network's defenses. This asymmetry highly favors attackers, particularly when it comes to networks and resources protected by inherently weak password-based authentication systems. As a result, many enterprises are moving to two-factor authentication because it makes credential abuse-based attacks less of a threat, as obtaining a valid password is no longer enough to gain access to a network or account.
However, two-factor authentication (2FA) schemes are only as secure as their weakest component. For example, hardware tokens depend on the security of the issuer or manufacturer; in 2011, security company RSA reported that its SecurID authentication tokens had been hacked. SMS-based 2FA has also been found to be vulnerable to a number of attacks, and the National Institute of Standards and Technology now recommends that it should no longer be used in 2FA tools.
Biometric authentication methods depend on measurable and unique attributes connected with individuals. While some, like fingerprinting or facial recognition, are currently being used widely and with success, there are other biometrics methods which may prove to be more or less trustworthy for authentication, including:
- Retinal scans and iris scans can be used to authenticate users based on the unique patterns in their eyes.
- Voice analysis may be easier for customers to use, especially over the telephone, but accuracy may not be as high as other methods.
- Body part geometry, including finger geometry and earlobe geometry, have been proposed for authenticating people but these methods may also be more easily spoofed.
- DNA matching may be the most accurate and least subject to spoofing, but it may also be the most intrusive method for authenticating users.
When used in conjunction with other authentication factors, like passwords or tokens, biometric authentication methods have the potential to improve security as well as the user experience.
The whys of biometric authentication methods
The presence of high-quality cameras, microphones, and fingerprint readers in modern devices is making biometric authentication methods and tools a viable option in 2FA. They offer frictionless authentication, and people are becoming familiar with using their fingerprint, voice or face to unlock computers and mobile devices; 16- to 24-year-olds actually feel more confident in the security of biometric authentication methods than PINs and passwords. Cars are also coming equipped with cameras and image sensors. Various manufacturers are already working on using facial recognition to replace the traditional car key.
Several banks have introduced voice recognition -- a behavioral biometric as opposed to a physiological one like a fingerprint -- to offer a quick and easy way for customers to identify themselves. The technology can filter out background noise, detect voice recordings and is not confused by temporary changes to a voice caused by a blocked nose or sore throat. Voiceprints are made up of over 100 unique characteristics, such as pronunciation, emphasis, speed, accent and the influences of physical elements of a person's mouth and throat -- like the length of the vocal tract and the shape and size of the mouth and nasal passage.
A big advantage of behavioral biometrics is that the identifiers can be discreetly monitored in real time to provide continuous authentication, instead of a single one-off authentication check during login. By monitoring behaviors such as typing rhythm, mouse movements, voice, gait and gestures to see if anything looks suspicious, an attacker is put in the position where one mistake will give their presence away, completely reversing the asymmetric relationship between defender and attacker. It's similar to antifraud systems that compare a card purchase against previous spending patterns.
Advantages of biometric authentication methods
Because they eliminate the need to remember dozens of different passwords for different digital services, biometric authentication methods do generally improve the user experience. British multinational bank Barclays has said the time taken to verify customers' identities has fallen from 90 seconds to less than 10. Voice may well become the most common form of customer authentication, as voice command-based user interfaces make more sense than touch interfaces in many situations.
Yet like any form of authentication, overall security depends on how well these systems are implemented. Biometric behaviors are shaped by social and psychological factors that make them unique, but it's not impossible to fool a biometric check. An HSBC customer's twin brother managed to access his bank account when the system let him repeatedly attempt to mimic his voice. Biometric authentication may be the answer, but implementation is everything.
Learn how mobile fits in to a biometrics security strategy
Some experts still say 2FA is preferable to biometrics
The role of behavioral analytics in IT security