Biometrics can be useful as a factor in authentication, but they are far from perfect. A look at the performance and limitations of biometric authentication.
In the rush to find a replacement for passwords, biometrics has emerged as a viable authentication technology. Despite rapid advances in recent years, however, biometrics still have serious limitations. As a stand-alone technique for access control, it provides only a low level of security. Its strongest application remains as a secondary factor.
In theory, biometrics has a lot of potential. It has been around since before writing (facial recognition is second nature to us), and there are a number of physical features that appear to be unique to individuals – fingerprints, iris patterns, voice, ear shapes, vein patterns – all of which can be used for authentication, but all have a weakness.
Biometrics work on the principle that “there is only one you,” but reducing this to a practical technology requires compromises. All forms of biometrics operate on the “close enough” principle. While a password must be an exact match to be accepted, matching a biometric trait requires a judgment call. This leaves room for mistakes.
Although a fingerprint might be truly unique, biometric authentication doesn’t use your fingerprint (or your iris pattern, etc.). It uses a template, a set of data points abstracted at the time of enrollment. This template is compared with similar data points gathered during each authentication attempt. Because of the possibility of differences and errors in data being gathered, there is a margin of error as the application decides whether there is a match. If you misspell the name of your family pet or insert a typo in “password,” your log-in will be denied. But, if your fingerprint is off by a few data points—eh, close enough.
However, biometrics can be very accurate. Hitachi claims a false acceptance rate of 1 in 15 million, and a false rejection rate of 1 in 10,000 for its Finger Vein Authentication Terminal
[http://www.hitachi.com/New/cnews/month/2015/07/150701.html]. But, this is a physical access control system, not easily adaptable to use with a smartphone or a desktop PC. Fingerprint identification is the most commonly used form of biometric for access control, and vendors typically claim accuracy rates in the upper 90-percentile range. This is pretty good, but still short of the 100 percent match required for a password.
Biometric accuracy is difficult to determine because many matching algorithms use a sliding scale. Do you want to increase security? Require a very close match. This will reduce the number of false acceptances, but will increase the number of false rejections. Want to keep the end user happy? Loosen the requirements. This will increase the number of false acceptances, but will reduce the frustration of false rejections. It’s a tradeoff.
On the upside, an adversary can’t easily “guess” a biometric trait. On the downside, there is little standardization in biometrics, so using a simple solution across multiple platforms is not practical. And of course, even a perfect ID authentication scheme is powerless against an insider threat.
All of this means that although biometrics can be effective and useful, if you really want security, biometrics will be playing second fiddle to another factor—probably a password. And there is no substitute for a good access control policy.
William Jackson is a freelance writer with the Tech Writers Bureau and author of The Cybereye. Follow him on Twitter @TheCybereye.