Busting myths about biometric identification and authentication

biometric

Biometric authentication is an automated method of identifying or verifying a living person’s identity in real-time, based on distinctive personal traits or physiological characteristics, such as hand or finger images, facial features, and iris recognition.

Biometric authentication works by comparing an enrolled biometric sample against a newly captured biometric sample. A biometric trait is captured during enrollment, processed by a computer, and stored for later comparison.

Biometric recognition is used in two modes – identification and verification. In identification, the system identifies a person from the entire enrolled population by searching a database for a match based solely on personal traits. In verification, the biometric system authenticates a person’s claimed identity from their previously enrolled pattern.

Biometric systems are traditionally used for three applications: physical access control for the protection against an unauthorized person to access to places or rooms, logical access control for the protection of networks and computers, and time and attendance control. They are increasingly being used in mobile banking apps to secure the digital banking process while providing convenient user experience.

Some of the key benefits of biometric systems are as follows;

  • Increase security, adding convenient and low-cost additional security tier.
  • Reduce fraud and minimize the opportunity for ID fraud, buddy punching.
  • Eliminate problems caused by lost IDs or forgotten passwords. Replace hard-to-remember passwords.
  • Tracing of individuals. Unequivocally link individuals to transactions and events.
  • Reduce password administration costs.

The following are some of the most widely used applications of most biometric systems today.

  • Financial services (e.g., ATMs and kiosks).
  • Immigration and border control (e.g., entry points, passport and visa issuance).
  • Social services (fraud prevention).
  • Health care (security measure for privacy of medical records).
  • Physical access control in institutional, government, and residential places.
  • Time and attendance
  • Computer security (personal computer access, network access, Internet use, eCommerce, and email).
  • Telecommunications (mobile phones, call center technology, phone cards, televised shopping).
  • Law enforcement (criminal investigation, national ID, driver’s license, correctional institutions/prisons, home confinement, smart gun).

Let’s now look at some of the common myths related to biometrics, and the truth that financial institutions and consumers alike should know.

1. All biometric systems are accurate.

Unlike password-based or certified processes, which are 100% accurate, biometric systems rely on probability. Therefore, there is a certain rate of false positives, accepting an impersonator, and false negatives, rejecting an authorized individual. The accuracy can depend on the capture equipment, physical and environmental conditions, such as age, room luminosity, sensor cleanliness, etc. The biometric resemblance between siblings and relatives can also confuse biometric systems.

2. Biometric systems are suitable for all people.

Some people cannot use certain types of biometrics because the system does not recognize their physical characteristics. Due to some unique circumstances, their biometric attribute can change possibly minute-to-minute, making it impossible for a particular biometric system to authenticate successfully. These people are made exceptions to the system and allowed to authenticate using some other method. Meanwhile, in case of injuries, accidents, health conditions (such as paralysis), and others, this incompatibility might be temporary.

3. Biometric systems cannot be circumvented.

Some ways allow to circumvent biometric authentication systems and assume the identity of another person. These procedures and techniques include masks, 3D-printed models, images, videos, or footprint reproductions, which often do not require extensive economic resources or technical knowledge. These adversary techniques are specifically designed to deceive image recognition systems and can be used to circumvent biometric identification. However, companies today use sophisticated liveness detection capabilities to fight presentation attacks or spoofs.

4. Biometric information is not exposed.

Unlike a password or certificate-based process, most biometric characteristics can be exposed or captured at a distance because the face, footprints, and thermal footprints are not usually hidden or protected. Though many of the population does not circumvent biometric tracking, some individuals can actively circumvent biometric systems with available technologies and resources.

5. Biometric systems are safer.

Biometric systems can suffer a security breach if any of the multiple systems involved in the collection, transmission, storage, or processing of biometric data is compromised. If the biometric information is stored in an increasing number of devices, this greatly increases the probability of a security breach.

6. Biometric authentication is only for security.

There are myriad ways that biometric information can be put to productive use. It can be used to customize the user experience or to select preferences. For example, in driving, scanning fingerprint on start button sets seat, mirrors, and infotainment options to match the user. In a smart home, scanning the fingerprint can unlock a door, start music or preferred lighting, and restrict access to home features or locations.

7. Companies can share biometric data.

Biometric data has stronger legal protection. As per the European Union’s General Data Protection Regulation (GDPR), sharing personal data is lawful only if either consent is given or another legitimate basis exists. Under the law, you have the legal right to be informed about how your data is being used. You can also legally halt or restrict the processing of your data and object to how it is being processed in certain circumstances.