Biometrics: Today’s Choice for the Future of Authentication
The options currently available for user authentication fall within three categories: authentication through something that the user knows, such as a PIN or a password; something the user has, such as a token with random codes, a flash drive or a proximity card; and something the user is identified by through the use of biometrics or something physically unique to the individual.
Today’s system security professionals speak of passwords being too weak; this means that authentication, which for years has been the most widely used tool to protect data and systems, has been often proven too easy to break or too impractical to use when systems administrators enforce long, complex and unmemorable alphanumeric passwords. Tokens and other devices have also proved not always effective due to the cost of production and distribution and the possibility of being stolen and used fraudulently. So what are the alternatives? Biometrics, for one, can be used for password replacement. This is an ideal solution for identity-based authentication of computer users as it is for securing a computer facility.
The article focuses on understanding why so many people and businesses depend on biometrics to provide the highest level of security, and it will address some of the new developments in biometric science that may just help boost its acceptance and offset some of its shortcomings, as well as address where the future lies for this type of technology. The uncertainty today is whether biometrics will play an important role in the future.
Biometrics Exposed: How it Works for User Authentication
Biometrics is the science and technology that analyze human body characteristics. It is based on measuring and analyzing biological and behavioral data. Biometric recognition simply draws on patterns and measurements (characteristics that are unique to individuals) for authentication. Many security experts agree that user authentication by means of linking a person to his/her body part(s) to establish an identity is a preferred method to enhance security. In many cases, in fact, biometric-based personal identification/verification technology even eliminates the need for usernames or passwords. As a logical control, biometric systems can provide entry into systems; as for physical security, they come handy to control access to secure areas.
Biometric progression requires two stages: “enrollment and “authentication.” The first phase comprises of a capturing and an extraction stage. A user is enrolled by having biometric data collected through a device that records distinctive physical characteristics and/or behavioral traits. Video-optical images or thermal imaging scanning are examples of what can be used for this purpose. Data are extracted from the sample and a template is created. Data are then stored in a database where each template is linked to a person for future identity matching.
The second part of the process is the authentication when data extracted are compared with the stored template so the individual can be identified or verified. This phase also is comprised of two stages: comparison (the template is compared to the sample) and the match/non-match decision. Fundamentally, the course of action is detection, recognition, verification, and then validation.
Examples of biometric data that can be used for identification and authentication are fingerprints, facial recognition, iris scans and even vein scanning. These biometric traits are seen as especially “unique” identifiers for recognizing humans.
Most biometric techniques are implemented using a sensor, which is used to scan, identify and authenticate someone to a system or entry point, only after having compared the extracted physical or behavioral feature-set against stored templates residing in a database.
In general, biometric methods are exceptionally reliable for a positive identity match. A false-positive or false-negative is rare, although possible, depending on the accuracy of the biometric systems and sensor characteristics. Although the hardware needed to implement biometric verification can be quite expensive, this type of technology has proven worth the price.
As with all electronic technologies, biometric devices can be fooled by impostors, but they are still becoming more commonly used at business locations and in work centers as trusted recognition systems that are sustainable in the long term to control access to high-security areas and, more importantly, to prevent identity theft.
Types of Biometrics: Physical and Behavioral Traits
There are two main types of biometric traits used for verification: physical traits, more commonly used so far, and behavioral, solely based on measurements and data derived from an action or series of actions performed by users. Physical biometrics uses “biological properties” that can uniquely determine an identity. Behavioral biometrics is based on “characteristic traits” exhibited by a person that can lead to his or her identification.
Physiological biometrics includes face recognition technology and finger- and hand-scan in addition to the measurements and data derived from patterns of the iris or retinal scan that reads the blood vessels in the back of the eyes for identification. Physiological biometrics (in particular fingerprints and DNA) is already widely used in forensics for criminal identification.
Fingerprints, for one, have been used for years to prove an individual’s identity electronically based on unique biological characteristics. The method has been used to distinguish one individual from another, as no two people have the same fingerprints. Fingerprint scanners can capture the user’s finger imprint to compare the person’s identity with a created unique biometric template. A person’s fingertip has come to be the most widely used biometric data.
Behavioral biometrics includes voice-scans, signature-scans and keystroke-scans. The human voice was found to be a viable authentication thanks to the possibility of being recognized through unique voiceprints. Although effective, it is less secure than other behavioral traits like a keyboard-scan, for instance, that has no user interference. Signature and keystroke scans can help recognize individuals by analyzing the way they write or by patterns in keystroking.
Privacy, Concerns and Security Issues
The biometric authentication technique based on “something users are” is considered the most secure method over a PIN or passwords and smart card technology for physical and logical access control. Every so often, an uncovered password has led to a compromised system, while the use of cards has made information vulnerable when lost or stolen.
Biometric traits are normally unique and permanent and hard to reproduce, especially in view of advances in technology, data communication security and biometric extraction devices. According to Biometrics.gov, the central source of information on biometrics-related activities of the U.S. federal government, “most biometric systems have a high accuracy (over 95 percent and many approach 100 percent) when matching biometrics against a large database of biometrics and when matching a biometric against the originally enrolled biometric.”
The advantage of biometric security over more conventional systems is that it is easier to use for authentication situations, and yet it offers improved reliability and strengthened information delivery capabilities. Despite these advantages, there are, however, open issues involved with these systems, some technical and some privacy-related.
Much of the skepticism that surrounds biometric technology has to do with the privacy concerns on storage, transmission and utilization of data that are perceived as extremely personal. Users are mostly concerned, especially now that the technology has been introduced in the mobile device world, about the safety of their unique identifiers and about the efficacy or lack of laws that govern use and misuse of personal bio data. Another source of concern is the increased use of biometrics in health service facilities and government, especially when mobile biometrics technology is used to verify identities anywhere on the go. The concern regards storage of data and their transmission to mobile devices. For the most part, the fact that information on people’s body features and behavior traits are recorded has been always a concern for many people worried about their privacy.
Many see the storing of data and records as an infringement of privacy and personal rights. Biometric factors that are unique to a subject could lead to the development of tracking or monitoring of somebody’s movements from that point on. Some fear biometric data be accessed and misused.
Users have expressed concerns over a number of biometric-related issues and possible forgeries. Authentication based on a signature-scan that analyzes handwritten text is often seen as simple to spoof, as forgeries are possible by a simple optical scanner or a camera. That may be why digitized electronic signature generation, even if considered legally binding on documents, is not widely used, and other behavioral biometric technologies are now used in its place.
A fingerprint reader that is embedded on the laptop or keyboard or added through a USB port is a good alternative. However fingerprints could also be compromised, as fingerprints can be lifted from touched items by an imposter looking to gain fraudulent access to resources.
Voice biometric systems unfortunately are sometimes prone to loud ambient sounds or low-quality inputs that tend to interfere with the ability to successfully record a usable sample. A voice biometric system could also be tampered with by someone able to record another’s voice, and play it back later to gain entry. Other difficulties come from input sensors being too sensitive, for example, to aging or facial expressions.
These are all valid concerns related to the use of biometrics technology. It is true that biometric traits have been spoofed; however, they are definitely more secure than many other systems of authentication because they are natural, physically or behaviorally linked to a person. Reproducing them requires sophisticated techniques and advanced technology knowledge that is not required to spoof and crack other methods (as getting hold of a token or stealing passwords is a much simpler feat in comparison).
In biometrics, what is stored is not an exact image of what has been scanned (the fingerprint, the retina, etc.) but a collection of binary numbers created when scanning; this extra passage is devised to prevent malicious hackers from reproducing exactly the image from which the numbers were extrapolated.
Knowing humans are often the weakest link in the security chain, password-based security mechanisms (that can be cracked, reset, and socially engineered) might be substituted by biometrics that can be a natural, effortless, and much more accurate way to authenticate.
Biometrics is often seen today as an additional layer of protection to add to other, more traditional, authentication systems like passwords and PINs. Using a second (or even a third) authentication mechanism may provide a much higher level of security to verify the identity of a user. What the future might hold is a shift from multi-type secure authentication to simply using synergistic multiple biometric systems.
Unimodal biometric systems are based on identification through only one trait. This is obviously not as accurate as we could wish and might not be adequate to all applications and uses. Also, if collection of that single data is affected in any way (for example by cream on hands that are fingerprint identified or by noise when collecting voice), accuracy would be limited. In addition, collecting only one type of data could exclude part of the users population when particular disabilities are present.
The possibility of spoofing a single biometric data is higher than that of compromising more. This is why a multimodal biometric system that uses more than one trait for identification can be more reliable and resolve ambiguities and accuracy concerns.
Advances in behavioral-based (dynamic) biometrics are also giving new life to this technology and are providing better and more accurate ways to authenticate users. Finger writing is a good example. This is a recognition verification system based on gesture movement, comprised of a system able to learn a user’s unique way of writing by collecting data through subsequent logins. The user is asked to handwrite four characters using their fingertip or pointing device, and the software is able to extrapolate the unique way these letters and numbers are written (length, speed, angle, height). Tests on this system have shown it is actually one of the most accurate systems of recognition available. A research by Tolly Group, a testing and third party verification provider, for example, has found a confidence rating of 99.97% and 27 times greater accuracy than keystroke analysis.
The trend is (in order to ensure less possibility of spoofing, replication of physical traits and privacy concerns) to base biometrics systems on the collection of non-physical, dynamic traits. For example, the US military is developing a “cognitive fingerprints” system that might be able to replace the use of faces, fingers and irises as an identification trait.
In West Point, in fact, an algorithm is being developed that allows identification through the way individuals interact with their computers; it considers behavioral-based information such as typing speed, writing rhythm and even common spelling mistakes. The algorithm is able to create a unique fingerprint for each user by putting together multiple behavioral and stylometric information that, collectively, are very difficult to reproduce.
Once fully implemented, this solution could transfer from military use to civilian, more mundane applications in e-banking, access to services and to secure devices. Will the privacy concern be solved? Not really, as many believe collection of this type of data could easily be embedded in applications commonly used by users and create concerns for widespread classification of users. Privacy vs. Security will be the battle to be fought for these systems’ implementation.
Nevertheless, biometric technology could soon become mainstream thanks to the growth of the mobile devices market. Biometrics Research Group, Inc. estimates that the sale of smartphones, in the U.S. only, will grow to 121 million in 2018. Due to this proliferation and to the increased functionalities they offer their users, their analysts believe there will be a strong push toward the integration of biometric technology to replace traditional authentication via pin and password. Biometrics Research Group, Inc. predicted that already in 2014 over 90 million smartphones would be shipped with biometric technology, while Goode Intelligence has forecasted that by 2019 the number of mobile and wearable biometric technology users in the world will reach 5.5 billion.
Today, biometrics matter more than ever before. In this digital-driven era, more users will come to rely on biometrics as an answer to problems concerning systems security and authorization matters. Although privacy, security and accuracy concerns are still valid, biometrics is still a system that promises the security and ease of use necessary for modern users needing access (even on-the-go) to sensitive data.
Biometrics is already hard to forge or spoof, and new advances in technology and new trends like multimodal can really ensure the highest security that sophisticated authentication can give to facilities and computer networks. As scanning devices are made less prone to mistakes and less subjected to sensor error, it will even become easier and faster to implement a biometric security system on a larger scale. This, coupled with its use on mobile devices, will ensure the technology is used for a wide variety of new scopes, including border and law enforcement controls.
Although biometrics may be susceptible to false matches, possibly due to scanning and sensor errors, there are ways to minimize this, currently, by utilizing multi-factor options like a password or smartcard combined with biometrics to add an extra layer of security towards authentication. If used together, and not alternatively, the systems are significantly stronger than when used individually.
Two-factor authentication is not a new concept. Newest trends, however, see multi-biometrics (the use of different sets of biometric data simultaneously) as a good alternative to increase matching accuracy for identification and verification. Multimodal biometrics systems, which use multiple sensors for data acquisition, offer multiple recognition algorithms and take advantage of each biometric technology while overcoming the limitations of a single technology.
Advances in algorithms considering dynamic biometrics that are less linked to physical characteristics but more to behavioral traits is where civilian and military researchers are concentrating their efforts in trying to devise a security system that is, at the same time, foolproof, reliable and quick to use. The call for quicker and more secure authentication systems for mobile devices will also boost the adoption of biometric technology.
As biometric devices become more secure and error-free as well as more affordable, the extra security that they can provide, ultimately, will outweigh any shortcoming of this technology as well as problems and concerns on privacy and safety. We might be closer to the end of passwords.
Brecht, D. (2011, January 4). Biometric Devices: They Provide IT Security. Retrieved from http://www.brighthub.com/computing/enterprise-security/articles/77000.aspx
Duncan, G. (2013, March 9). Why haven’t biometrics replaced passwords yet? Retrieved from http://www.digitaltrends.com/computing/can-biometrics-secure-our-digital-lives/
FRMC. (2014, September 11). Biometric Signature Authentication: The New Modality of Choice for Safe Guarding EMR Access. Retrieved from http://www.firstreportnow.com/articles/biometric-signature-authentication-new-modality-choice-safe-guarding-emr-access
ID Control. (n.d.). Biometric Authentication method Pro’s and Con’s. Retrieved from http://www.idcontrol.com/keystroke-biometrics/biometric-authentication-method-pros-and-cons
Mayhew, S. (2014, August). Special Report: Mobile Biometric Authentication. Retrieved from http://www.biometricupdate.com/201408/special-report-mobile-biometric-authentication
Memon, S. (2014, February 28). Use of Mobile Biometrics Systems for ID Management in eServices. Retrieved from http://www.researchgate.net/profile/Sander_Khowaja/publication/260079452_Use_of_Mobile_Biometrics_Systems_for_ID_Management_in_eServices/links/00b7d5348eed55220b000000.pdf
PYMNTS. (2015, January 29). Next in ID Verification: Behavioral Biometrics. Retrieved from http://www.pymnts.com/news/2015/next-in-id-verification-behavioral-biometrics/#.VO8RT010yUl
Seals, T. (2015, January 29). US Military to Replace Passwords with “Cognitive Fingerprints”. Retrieved from http://www.infosecurity-magazine.com/news/us-military-passwords-with/
Shahnewaz, M. (2014, December 14). How Mobile Biometrics is Fundamentally Changing Human Identification. Retrieved from http://www.infosecurity-magazine.com/opinions/how-mobile-biometrics-is-changing/
Trader, J. (2014, August 1). The Top 5 Reasons to Deploy Multimodal Biometrics. Retrieved from http://blog.m2sys.com/important-biometric-terms-to-know/top-5-reasons-deploy-multimodal-biometrics/