Companies have used passwords to secure their data and assets for a long time. But password security has grown less effective as processing speeds have accelerated and cryptanalysis methods have improved. Consequently, a more advanced authentication technique is required. Biometrics is one such method. This article delves deep into biometrics, discussing its challenges, applications, and why we need to implement it as a critical authentication method. Read on.

Biometrics is an authentication factor that uses human behavior and physical attributes to identify a user. We can use several physical characteristics, but not all provide the same level of protection for an organizations resources. Nor are all scanning technologies suited for all business environments.

In this article, we have examined each approach to measuring biometric characteristics, the challenges with each, and the role of biometrics in overall identity management.

For decades, organizations relied on passwords to protect information resources. However, the increase in processor speed and improvements in cryptanalysis have made passwords weak protection, as the NIST describes in their password use guidelines.

The need for something more resulted in the creation of other approaches and divided all associated authentication factors into three types.

Type I Something you know (passwords, PINs, passphrases, etc.)

Type II Something you have (token, certificate, one-time password generator, )

Type III Something you are (biometrics: fingerprint, vein pattern, iris pattern, )

Each type has advantages and disadvantages, often resulting in higher than the acceptable risk when protecting highly classified systems and data, making using two or more factors necessary.

Biometrics is just one factor, a factor that has challenges of its own. Consequently, it is not an authentication silver bullet, often requiring an additional factor, depending on solution characteristics and the risk you are trying to mitigate.

See More: Deepfakes: Can Biometric Authentication Defeat the New Cybersecurity Nightmare?

Before looking at specific biometrics solutions, it is essential to understand their common characteristics and challenges, including error rates, effectiveness, advantages, and disadvantages.

First, each biometrics solution has three associated error rates, as shown in Figure 1. False rejection rates (FRRs), known as Type I errors, are the rate at which an authentication system fails to verify the identity of an authorized user. A Type II error, the false acceptance rate (FAR), is the rate at which the authentication system incorrectly authenticates unauthorized users. The crossover error rate, or CER, is the point at which the FAR and the FRR are the same.

Figure 1: Biometrics Error Rates

As we increase the sensitivity of the biometrics sensors, the sensors scan and measure user characteristics, the FRR increases, and the FAR decreases. In other words, as we try harder to prevent unauthorized users from getting authenticated, we frustrate our users, reducing their productivity as we increase the number of times an authorized user fails to authenticate.

The CER varies across the characteristics measured and the available vendor solutions. When selecting a solution, it is crucial to understand the risk associated with the error rates and choose the one that fits the specific application within your organization.

The placement of sensors is an important consideration. For example, placing fingerprint sensors that require placing a finger on a surface is not a good solution for many manufacturing environments. Ambient oil and other substances find their way to fingers and sensor surfaces, causing error rates to spike.

Further, environmental conditions can affect the characteristics scanned. Abdarahmane Wone et al. documented research in which they found evidence that features examined under different environmental conditions, other than those present when the person enrolled into the biometrics system, appeared different to scanners. I will cover enrollment later in this article.

Environmental considerations are important and should be discussed with any vendor presenting her solution for review.

It is not just picking the wrong solution that can cause your biometrics efforts to circle the drain. Failure is imminent if you lose management support or users simply refuse to use it.

One of the biggest reasons users resist biometrics is their belief that the organization collects and stores information about one or more of their physical characteristics. We must inform our users about how the process works and how it protects their information.

Another challenge involves cultural norms that vary from country to country and between cultures, affecting what individuals view as acceptable. Organizations must understand what resistance there might be to body part scanning and plan authentication efforts accordingly.

Managers begin to join other users in biometrics resistance when the solutions implemented hinder production, caused by multiple attempts to authentication or failure to recognize scans. Properly tuning your error rates, correctly assessing what works and what does not within specific work environments, and providing quick workarounds when biometrics fail all help prevent managers and employees from storming your office in a biometrics revolt.

There are two basic biometrics processes: enrollment and authentication.

Before an employee uses a biometrics solution for authentication, the organization must enroll him. Figure 2 shows a general enrollment process.

After the administrator creates an Active Directory account for the new hire, she begins the biometrics enrollment process.

Figure 2: Enrollment

Figure 3 shows that using the reference template for authentication is straightforward.

Figure 3: Biometrics Authentication

The UK National Cyber Security Center (NCSC) describes different approaches to attacking biometrics.

Not all biometrics solutions are susceptible to all of these attack vectors. In any case, the following section provides ways to strengthen each type of biometrics. The key takeaway, however, is that biometrics is not a completely safe authentication factor, with the risk associated with what is used, the quality of the sensors, and the processing algorithms.

According to Encyclopedia Britannica, a fingerprint is the collection of papillary ridges on the ends of the fingers and thumbs that enable us to grasp objects securely. The arrangement of these ridges, as shown in Figure 4, differs between individuals, providing unique identification.

Figure 4: Fingerprint Patterns (Encyclopedia Britannica)

Although there have been some claims that fingerprints are not unique, there is no credible evidence to support these claims. However, it is not difficult to create artifacts for fingerprint solutions that only check for patterns, ignoring checking to see if the patterns are actually part of a living person.

Organizations can strengthen fingerprint recognition efforts by

As shown in Figure 5, humans have a set of facial characteristics that organizations can use to authenticate their identities. 2D scanning includes

Figure 5: Biometrics Characteristics (TechSmith Assets)

Facial recognition does not require physical contact with the scanner. Users can often just simply sit in front of a device for facial recognition, requiring no special interaction.

Facial recognition, like fingerprint recognition, can be forged with facial artifacts created by threat actors, artifacts created using photographs or other media. The use of artifacts to bypass recognition is known as a presentation attack.

When evaluating a solution, one of the first things an organization should consider is its ability to defend against presentation attacks, taking steps to ensure the presence of a live human face, not an image, in front of the camera. According to Kevin Bonsor and Ryan Johnson, one approach is to use 3D scanning that looks at additional characteristics, like the curves of the eye socket, nose, and chin. Another is the use of video capture algorithms that detect nodding and blinking.

Stephen Mayhew writes that hand geometry is the longest implemented biometric type, debuting in the market in the late 1980s. However, the hand is not distinctive enough to use as a strong biometrics authentication in most solutions.

Hand scanning devices measure an individuals hand length, width, thickness, and surface area, capturing images of both the hands top and side.

Eye characteristics are unique, but iris and retina scans are not equally resistant to presentation attacks.

The iris, as shown in Figure 6, is the colored area around the pupil. Each persons iris is as unique as their fingerprint, and users often do not need to touch a scanner to authenticate. Another advantage is the lack of change over time in the iris patterns. However, iris artifacts can be created, making live-eye detection or a second authentication factor necessary for high-risk situations.

Figure 6: Iris (By Smhossei Own work, CC BY 3.0, Source)

Retina scans are intrusive, requiring the insertion of a harmless beam into the back of the eye to scan the retinas blood vessels. Figure 7 is an artists interpretation of the patterns inside the eye. This intrusion can cause users to refuse to use the scanner. An upside, however, is that it is as yet impractical for a threat actor to rely on an artifact during a retina scanning attack.

Figure 7: Retinal Blood Vessel Pattern (Retina Associates)

Eye scans are fast with low error rates. However, they can be costly for general use across an organization and more suitable for high-risk or quick access needs.

Vein recognition, also known as vascular biometrics, is very accurate, nearly impossible to fool with artifacts, fast, and with falling costs, making it a good alternative for fingerprint recognition. Using the subcutaneous blood vessels of the human body that create patterns unique for each individual, scanners typically use fingers or hands for authentication.

Figure 8: Vein Recognition (Parihar & Jain)

Although behavior recognition solutions are generally considered relatively weak, they can be used as part of zero-trust access control, providing periodic verification of a user without any pause in their tasks. Keystroke dynamics and voice recognition are two common approaches.

Keystroke dynamics uses a software agent placed on the users device. The agent measures overall typing speed, variations in how the user moves between keys, common typing errors, and the length of time keys are depressed. Solutions that continuously assess typing patterns provide authentication verification during the entire time a user is authenticated.

Voice recognition uses users voice prints for authentication. Threat actors can easily capture voice samples, patch needed phrases together if needed, and successfully launch a presentation attack.

See More: How Cloud-Based Biometrics Streamline Identity Management

My descriptions above are general statements about the different biometrics approaches. They, and the comparison information provided in Table 1, are contingent upon emerging technologies and the differences between solution vendors. It is essential to ask the right questions. Know what you are getting.

Table 1: Biometrics Comparisons

Biometrics can be a practical, easy-to-use authentication factor. However, not all environments are suited for every approach. Before selecting a solution, understand the environment in which it will operate, and the daily condition of the physical characteristics scanned, avoiding issues like fingers covered with oil or other substances. You might need more than one solution, each fitted to its operating environment and the risk associated with accessed resources.

One of the biggest challenges you will face is user non-acceptance based on privacy concerns. Management at all levels must understand and support the effort. Users must be trained and understand why something new is entering their work habits and the steps taken to protect their privacy.

One way to get managers and other employees on board is to involve them in the decision-making processes, starting with the review of the risk assessment, through requirements definitions and feasibility studies, to the selection of the final solution (or solutions).

Does your company have a powerful biometric mechanism in place? Let us know on LinkedIn, Facebook, and Twitter. We would love to hear from you!

Read more:
Biometrics: Why Are They Needed and Top Practical Applications - Spiceworks News and Insights