0

Biometric Authentication: Exploring the Various Types

Authentication
Mark Furfaro
Nov 23, 2023
Biometric Authentication: Exploring the Various Types

Biometric authentication has fast become one of the most commonly used and accepted methods of authentication. It uses specific characteristics of a person, such as facial features, voice, and fingerprints, to validate one’s identity. In other words, biometric authentication leverages “something you are” rather than “something you know” or “something you own” to validate users.

So how does it actually work? In practice, biometric authentication typically uses a system to validate user biometrics against their stored biometric data, often in the form of a biometric template (an encrypted copy of their true biometrics). Since biometric data is hard to fake and templates protect a user’s biometric identity, a biometric authentication system, when deployed correctly, provides high levels of both security and privacy.

With the basics covered, let’s go through the different types of biometric authentication, and how different industries implement biometric authentication into their processes.

 

Fingerprint

Fingerprints have been thoroughly explored and proven as a reliable means of identifying and authenticating individuals. They have been effectively used by law enforcement for over a century to identify individuals in a highly regulated and critical industry. This is now often done using fingerprint readers, which are designed to read, register, and recognize the unique patterns formed by the ridged skin of human fingertips.

The mobile device and laptop industry is an example of how fingerprint biometrics has established itself as a trusted authentication method. Within this market, fingerprint reader and authentication technology have evolved at a rapid pace and become ubiquitous, to the point that you can now login into various devices, in less than a second, with one tap of your finger.

When considering the ease of use factor, security and privacy features, and industry standardization, it’s no surprise that fingerprints are often chosen by businesses as a go-to authentication factor. That being said, this method is not without its weaknesses. For example, fingerprint biometrics are susceptible to infallibility and spoofing, require the need for physical contact, and can present potential privacy concerns if the biometrics are stolen.

 

Facial Recognition

One of the most intuitive types of biometric authentication is facial recognition, as it is how humans typically identify each other. Major advances in technology and computer vision have made this method viable for most enterprise applications. This can be seen in the meteoric rise of facial recognition and authentication systems introduced to the mobile device market.

While the process may seem quite simple for the end user, requiring them to only look at a camera, there is actually a lot going on behind the scenes. Here is a breakdown of different steps that a typical facial recognition system will use to authenticate a user.

  • Detection: First of all, the software needs to detect the presence of a face and locate it in the image. This is not always easy when the lighting is too dark or too bright, or if accessories like hats or glasses get in the way.
  • Extraction: Once a face is detected, it captures the image of the face and extracts a number of features from the image. These features could, for example, be the distance between the eyes, the shape of the nose, and the contours of the face. Though, in general, the features extracted by the computer do not necessarily have an obvious meaning to a human.
  • Registration: At this point, the software will either register these features into its system if the user is setting up its authentication for the first time (biometric enrollment) or compare them to an existing set of data that was previously acquired (verification).
  • Validation: In the latter case, the software will return a simple response depending on whether the provided biometric data matches its existing facial features or not.

Advantages of Facial Recognition

Just like many other biometric methods, one of the greatest advantages of facial recognition is that it provides the end user with a significantly better user experience. More specifically, facial recognition provides an authentication factor in the form of something that you are that is easy to present. This provides a notable benefit for users when compared to common knowledge-based authentication factors that we are used to like passwords, which require you to remember and or store countless complex credentials.

Another benefit is acceptability since people tend to better grasp the idea of identifying someone through images, while also being more willing to provide a picture rather than something like a fingerprint.

However, there are some risks associated with facial recognition.

  • Data breach: Similar to other biometric methods, one of the biggest risks is the fact that, once your biometric data gets stolen, you cannot simply use some new facial features without costly surgery. This has important privacy implications as an increasing amount of surveillance technology is installed in the world, which provides an additional opportunity to link digital identity to a biometric factor.
  • >True-fakes: Beyond surveillance, the rise of social media and the massive volume of self-publication of pictures makes for a great building block to create “true-fakes”. With the recent success of generative AI tools and services, it has become quite easy to understand how this may become more problematic as threat actors attack authentication systems relying primarily on facial recognition.
  • Accuracy: Facial recognition is often based on an accuracy/precision level that accepts more or less individuals as a valid match, therefore creating the opportunity for false positives. It is worth highlighting that this risk is not inherently about facial biometrics themselves, but rather largely depends on factors such as the resolution of images used, the distance from the camera, the angles, and the datasets used to train the model.
  • Aging and other changes: Another particularity that plays against facial recognition is the fact that it is one of the biometric factors that evolves the most and at a fairly fast pace.”Even a significant change in make-up could affect the accuracy of some systems.” This often opens up the door to a situation where facial recognition systems reduce their accuracy in favor of the broader acceptability of an individual’s biometric trait.

Voice Recognition

Let’s now dive into voice recognition as a form of authentication. This method usually consists of a particular technique that analyzes some elements of a user’s voice to determine whether access to a specific system should be granted or not. These elements of the voice are analyzed in combination and include the following:

  • Duration
  • Intensity
  • Cadence
  • Selection of words
  • Speech dynamics
  • Pitch

Compared to facial recognition, this is a less common authentication factor. However, it is often implemented in virtual assistant technologies such as Alexa and Siri, which will only respond to the voice of those they recognize as the owners of a specific device. Voice recognition provides the user with a hands-free authentication method, which is ideal for virtual assistant technologies in households.

Efficiency

Besides the obvious reason that popular virtual assistants are voice-activated, one of the reasons to use voice recognition resides in its efficiency in quickly analyzing a voice that belongs to a known or expected user.

Identification

On the flip side, voice recognition is usually underperforming in identification scenarios. Most systems implementing it will use it in a contextual authentication, where another element, usually a factual element rather than an authenticated claim, is used to identify a small subset of potential matches and then perform the analysis to confirm the results.

Manipulation

However, voice recordings can be manipulated and spoofed by malicious third parties and voice recognition exposes itself to inherent replay attacks. An approach to solve that problem is to use random generative speeches but they are often overlooked in favor of increased usability.

Voiceprint and spoof-resistance

Voice recognition system providers often leverage what is commonly known as voiceprint—a cryptographic representation of the anatomical and acoustic factors that make the voice of each person unique. They often claim that they can be spoof-resistant using different variations of this approach, often leveraging acoustic characteristics to identify a genuine speech versus one that is being played back through a device.

With that said, there’s another stigma that persists around voice and speech recognition when looked at from a privacy standpoint.

Privacy concerns: Once again, systems that favor ease of use or user experience will try to remove any user-activated mechanisms to launch voice recognition. This forces these solutions to have a microphone continuously recording and listening to an incoming audio input and be ready for comparison when required. This is often one of the biggest privacy and security concerns that comes with the use of voice biometrics and probably explains why voice recognition has not reached the highest level of popularity in secure environments.

Voice recognition here is also prone to fail for those who have a specific medical condition affecting their voice. Finally, while audio recordings are less likely to produce large-scale input datasets, high-value targets are often more “vocal” in the media, and snippets of voice can be easily obtained to be used in “deep fakes” or imitations.

 

Iris Scan

Iris scan is a frequently used factor in biometric authentication in the physical access industry. It uses lights to expose the unique patterns in human irises created by:

  • Tiny blood vessels
  • The pigment of the iris (your eyes’ color)
  • The surrounding circular muscle (sphincter) that controls the size of your pupils
  • Other features.

Iris scan is considered to be a very accurate and precise type of biometric authentication since it analyzes an extremely complex combination of texture, pigmentation, fibrous tissue, and blood vessels within a portion of the human eye. Similar to many other kinds of biometric authentication, an iris scan is used as one of the factors in two-factor authentication and multi-factor authentication. However, this authentication method is significantly less common than other ones.

The related data in iris scans are usually captured with special equipment and the human eye can be as far as a few meters from the device. This has been considered by many as a major concern since the data from irises can be collected by anyone without the necessary consent. It also typically drives the cost and complexity of deploying such a solution for broader use. That said, it has a fairly low false-positive and can be useful in very secure use cases.

 

Retina Recognition

Similar to the iris scan described above, retina recognition is an authentication method that leverages the unique features and patterns of a specific part of the eye, the retina. While the iris scan focuses on the colored circles that we all have in our eyes, retina recognition focuses instead on the back part of this organ. Specifically, retina scanners will highlight the blood vessels and texture of that membrane that capture the light before sending it to your brain that represents it as an image. This implies a couple of very important distinctions.

  • Great accuracy: Retina recognition is considered much more accurate (the estimated error rate is one in ten million). In fact, retina recognition is one of the common authentication methods for many government agencies such as:
    • Central Intelligence Agency (CIA)
    • National Aeronautics and Space Administration (NASA)
  • Tamper-proof: Retina scans are considered almost impossible to fake—which is why they are usually used to protect physical access to restricted locations.

Such increased accuracy and security, however, does come with a cost in terms of usability and financial resources. In fact, while an iris scan can happen as far as a couple of meters away from the device, a retina scan requires the user to be very close to the device (which is usually quite expensive) so that it can cast an unperceived beam of low-energy infrared light into the eye.

 

Gait Recognition

Gait recognition is probably one of the less-known recognition methods available today. With gait recognition, a system is able to detect and recognize the walking patterns of users by looking at their walking style and pace. This is done by identifying human silhouettes and running their movements through dedicated algorithms that can match these to previous gait patterns.

  • Different use cases: Although this specific type of technology is currently used more for surveillance purposes and for medical applications such as physical rehabilitation and medical research, an increasing number of businesses are considering it within their security systems to add an extra layer to their authentication methods.
  • Surveillance: It can be applied to video surveillance systems to track an individual in a crowd and has better identification capabilities than facial and voice recognition.
  • Adoption: Although this method has some significant advantages such as ease of use (since the end user barely has to interact with the device), it is still not very commonly adopted and has a hard time being integrated into authentication use cases.

Comparing Biometric Authentication Types

All of the different biometric methods described above have their own advantages and disadvantages. Whether it’s high costs to achieve the best levels of security or a system that is more convenient and user-friendly, choosing the right one will entirely depend on your specific needs.

Similar to any other types of authentication methods, various biometrics can be combined with each other to increase the level of protection in a system. Of course that will come with a cost—both in terms of money, as well as processes.

Implementation Considerations

As mentioned above, it is important to take into account all the possible factors that could influence the decision of what system makes the most sense for a specific purpose.

  • Regulations: Depending on the jurisdiction where you are operating, you might actually not be able to use some of these methods—or the cost of properly implementing them might be too expensive. This is because of the strong privacy laws that some countries have implemented in their territories to protect user data and personal information. A very well-known example is the European General Data Protection Regulation, which establishes some limitations on the use of personal data for businesses.
  • Nature of the business: Another significant factor might be the nature of the business, how often the authentication process occurs, and what needs to be protected. Some businesses might have different needs because of the more dynamic nature of their operations, while other ones may not mind a more burdensome process to achieve higher levels of security.
  • Accountability: Accountability should be an important consideration when using biometric systems. This means that clear policies and procedures should be put in place. It’s also important to have a solid mechanism for oversight and review.

The Benefits and Risks of Biometric Authentication Data Table

Benefits Risks
Enhanced Security: Biometrics offer high accuracy in identity verification Privacy Concerns: Collection and storage of sensitive biometric data
Convenient and User-Friendly: Faster and easier authentication process Vulnerability to Spoofing: Potential to deceive biometric systems
Decreased Dependency on Passwords: Reduces password-related risks Implementation Complexity: Integration challenges in some systems
Non-Transferable and Unique: Biometric traits are individual-specific Cost of Implementation: Initial investment in biometric technology

Biometric Authentication Use Cases

All these different types of biometric authentication have been used by several industries over the years. Some of the most commonly implemented biometric authentication methods can be found in the financial services industry, insurance, healthcare, and public security. Public administrations in China and other countries in the world actually use biometric authentication methods such as facial recognition to implement e-identity systems as well as for signing documents electronically.

It’s also quite common to find biometric authentication methods in the travel and hospitality industry—where identities are verified in such a manner at airports and hotels. For example, the U.S. Customs and Border Protection uses facial recognition for anyone who is entering the country through its airports. During the past years, we have also seen an exponential increase in the number of systems that use biometric authentication for remote work and e-learning after the COVID-19 pandemic.

Another very common area where it is used is on smartphones, where facial recognition and fingerprint scan technologies are becoming ubiquitous and no longer simply a nice-to-have feature for the average consumer.

Advancements and Future Trends

For several decades, biometric technology has been consistently used and improved by a number of actors and industries. Some of these types of biometric authentication were mostly seen in the science-fiction world during the last century and we only knew about them because of spy movies. Today, they are increasingly becoming part of our lives.

We can expect the technologies for biometric authentication to continue improving in the future and for these systems to become more accessible and user-friendly. For example, AI and machine learning are promising to unlock new methods that we previously didn’t know were usable or feasible, such as gait recognition.

More and better types of biometric authentication can also mean better fraud detection and prevention. While the privacy concerns about these methods deserve a great deal of attention, many will argue that these technologies overall are a net positive for our digital lives.

Conclusion

We saw all the different types of biometric authentication (such as fingerprints, facial recognition, iris scans, and voice recognition) and the different tradeoffs that come with them such as convenience, ease of use, and privacy concerns. As these technologies get better, we can expect an increased number of users to be using them and better securing their data and digital lives—especially when compared to traditional password-based authentication systems.

To conclude, here are some of the key aspects of biometrics:

  • Common concerns: User acceptability and privacy concerns were raised with regard to the capture, use, and storage of biometric data.
  • Compromised data: An inherent problem of using a “something you are” factor is that if/once the data is compromised, it is hard or prohibitive to get new ones if at all possible.
  • Failed verification: Accidents, injuries, illnesses, and diseases can often lead to failed biometric verification. These may be temporary, but in some cases could become permanent, forcing a new issuance and enrollment of biometrics to authenticate a user.
  • Aging: As time goes by individuals may grow, age, and ultimately see significant physical changes to their bodies and behaviors, leaving them exposed to a denial of access. This will depend on the specific biometric factor that is chosen.
  • Medical conditions: As “something you are”, some medical conditions can render some biometric methods unusable or prone to failure.

Overall, biometrics are more secure, convenient, and user-friendly than traditional authentication methods such as passwords and Single Sign-On. If you run a business or an organization that requires high levels of security, you should definitely consider implementing biometric authentication systems into your operations.

At Kelvin Zero, we are building next-gen authentication and trust solutions to fully take advantage of biometric technology. With our flagship solution, Multi-Pass, we are replacing passwords with enterprise-grade, phishing resistant passwordless MFA so critical organizations can stay one step ahead of their attackers.

Book a demo today to learn more about Multi-Pass and how Kelvin Zero can help your organization integrate trust throughout all of its operations.

Mark Furfaro

Mark joined Kelvin Zero in 2019 and currently operates within our revenue operations team. In this role, Mark is responsible for aligning sales, marketing, and strategic operations within Kelvin Zero to drive growth through operational efficiency.