The IAM Leader’s Guide to Biometric Authentication

“Biometric traits provide a uniquely human basis for user authentication, without people having to remember random character strings or carry specific devices,” says Ant Allan, VP Analyst, Gartner. “Biometric authentication offers better UX, along with increased accountability as biometric traits cannot easily be shared.”

Security leaders responsible for IAM and fraud prevention can adopt biometric authentication across a wide variety of use cases. Use these questions to determine if and how biometrics can meet current and future authentication needs.

What is biometric authentication? 

Biometric authentication methods use unique personal traits to corroborate a person’s claim to an identity to enable access to a digital asset. This is usually done through one-to-one comparison, attempting to match, say, a face or fingerprint image against the person’s record, rather than having the system determining identity by searching among a range of candidates. Biometric authentication can be used as an alternative or adjunct to other authentication methods, and it is typically adopted to achieve passwordless authentication.

What traits can be used? 

To be useful for authentication, a biometric trait must be unique, persistent and measurable. Furthermore, it must be possible to capture a sample (an image or recording) of that trait and to extract identifying data in a way that preserves its uniqueness.

Morphological traits (e.g., face, fingerprint, iris, vein) change very slowly and are generally unalterable. However, capturing them may seem intrusive for some, and some people may find specialized sensors difficult to use.

Behavioral traits (e.g., gesture, keystroke, voice) are less stable, changing over time and typically requiring multiple interactions to determine a reliable baseline. They also change with age, stress, injury and illness. 

Methods that incorporate two or more distinct traits, such as both face and voice, are known as multimodal methods. An “either/or” method provides users with a choice of modes, which can enhance UX by providing people with an alternative to a mode that they might not be able to use reliably or not wish to use, improving trust and accountability. Alternatively, two modes can be used together, improving security, but this approach will not generally meet regulatory requirements that demand two-factor authentication. 

Learn more: 2021 Top Priorities for Security and Risk Management Leaders

How does biometric authentication differ from other authentication methods?

Biometric authentication methods differ technically from nonbiometric methods, such as passwords or cryptographic keys, in two important ways: 

• Stochastic variation. Captured biometric data varies slightly from one time to another. Thus, the derived “probe” data will never be an exact match to the “reference” data, and therefore the comparison process is fuzzy. For example, think about using your finger to unlock your mobile device — the angle and exact position of your finger may differ slightly each time, but the authentication will still work. 
• No dependence on shared secrets. Biometric authentication does not depend on the secrecy of biometric traits, but instead relies on the difficulty of impersonating the living person presenting the trait to a device.

What are the benefits of biometric authentication? 

Biometric methods can potentially provide better UX and higher trust than other credential-based methods. In particular, biometrics improve individual accountability, as personal traits cannot easily be shared as passwords and tokens can. However, the actual benefits of biometrics depend on the trait used, as well as the configuration, performance and accuracy. No biometric authentication solution can provide a 100% success rate, so there will always be a trade-off between security and UX.

For example, with face recognition, if the matching threshold is low, a person is less likely to be locked out of their device, but there’s a higher chance that someone else would be able to unlock the device. UX can also vary from person to person; for example, fingerprint was long the biometric mode of choice, but many users have had problems with fingerprint modes some of the time, and some users are unable to reliably use these at all. 

The trade-off between security and UX is broadly true of any authentication technology. IAM leaders must determine if biometric authentication methods strike a balance between security and UX that is in line with the enterprise’s risk tolerance and business expectations.

What are the risks of biometric authentication?

Like any other authentication technology, the integrity and availability of data and technology components, and the confidentiality of system data, are crucial. 

Particular biometric authentication risks that IAM leaders must pay attention to include:

• Privacy. As it is considered sensitive personal data, biometric data and people’s privacy rights must be protected according to relevant privacy legislation. IAM leaders must also consider the “creepiness” factor.
• Performance. The real-world performance of each biometric mode can depend on a variety of factors. For example, with face recognition, poor ambient lighting and poor camera quality can make it harder to capture usable images. 
• Presentation attacks. Biometric authentication relies on the difficulty of impersonating a living person. An attacker might conduct a presentation attack, using a photo, video, mask or voice recording, to impersonate a target. Thus, a robust biometric method must incorporate effective presentation attack detection (PAD) or “liveness testing” to mitigate this risk.
• Platform attacks. There are significant risks with the end-to-end security of any biometric authentication platform. Security leaders must assess vulnerabilities and risks introduced in the design, construction, operation, misuse or incorrect configuration of the platform.

Read more: 4 Pillars of Privileged Access Management

What are potential use cases of biometric authentication?

Biometric authentication can be used in a variety of ways across industry verticals globally. Current enterprise use cases include:

• Windows PC and network login
• Mobile device login
• Remote network, web and cloud access
• Segregation of duties and electronic signatures
• Mobile banking
• Contact center for caller ID and fraud detection

Biometric methods can enable passwordless authentication alone or combined with other methods. Integration with phone-as-a-token authentication for passwordless multifactor authentication — “mobile MFA” — will likely dominate in workforce use cases.

IAM and fraud leaders considering biometric authentication must assess each of the above questions when determining the value proposition. Identify use cases where biometric authentication can satisfy a need to improve UX, trust or accountability, and thus facilitate changes to business processes or enable regulatory compliance better than orthodox methods.