This is a guest post by David Smith from the Smart Card Institute on biometric authentication.
We have already discussed the various use cases for biometric authentication in previous articles. We saw how they can be effective in securing childcare centres, offices etc as well as help in managing attendance. Most of us associate biometrics with fingerprint scanning technology that can replace passwords. However, there are different types of biometric authentication in use today that include both physical and behavioural identifiers. Let us now take a step back and try to understand what the various aspects of biometric authentication are, and the complex technology involved in the process.
What is biometric identification?
Simply defined, biometric authentication is the use of unique characteristics of a person’s body or behaviour to verify identity when he tries to access a facility, building, service or device. The types of characteristics that can be used for identification can be broadly categorized as follows
Physiological Biometrics: This type of biometric uses unique physical attributes of a person’s body to identify him. They are usually used when the person requiring authentication is available in person at the point of authentication. Following are the most popular physical aspects used in authentication today.
- Fingerprints: Details of the human fingerprint include raised areas called ridges and branches or bifurcations in these ridges. The pattern formed by these ridges is unique and thus a good factor for authentication. Fingerprint authentication is commonly used in offices for access control and attendance management as well as for accessing personal devices such as laptops and mobile phones. Fingerprint scanning is being increasingly used with smart cards to implement two-factor authentication. This increases the speed of authentication as the authentication system accesses information based on the smart card being used for authentication and matches a specific fingerprint to that of the person trying to gain access.
Eye scans: This involves either iris or retina scans of the person’s eye.
- Iris Scan: The ring-shaped region surrounding the pupil of the eye is called an Iris. It forms a unique pattern for every person with different colours involved. This involves taking an image of a person’s iris, with a high-resolution digital camera at a close distance. This is then used to match with the person iris at the point of access control. It is usually used at airport immigration counters and for access control in government buildings.
- Retina Scan: A retina scan uses the image of a person’s retinal blood vessel pattern. They are difficult to fake when compared to iris scans because they can only be taken from a living human.
Face recognition: This type of authentication technology maps a person’s facial features geometrically and stores the data as face print. During authentication, the facial recognition software compares the data to the live image of the person. This is being commonly used by smartphone manufacturers like Apple to authenticate persons accessing the phone.
Behavioural Biometrics: Behavioural biometrics usually relies on pattern matching with respect to a particular nuance of human behaviour when they interact with a system. This type of authentication is usually used when the user being authenticated is a remote user. Following are examples which use this type of authentication technology.
- Voice Recognition: Voice recognition is often confused with speech recognition. Speech recognition is when you talk to a gadget and it understands what you are saying. It may not necessarily verify the identity of the person giving commands. Voice recognition, on the other hand, uses a voiceprint or the unique pattern of a person’s vocal characteristics to identify who is talking rather than what is being said. The most common use case for this type of authentication is in call centre/IVR applications.
- Keystroke and Navigation Patterns: People using keyboards/mouse for input usually have different typing/navigation styles. The typing pattern usually can be defined by various factors like speed of typing, the time interval between letters, the pressure applied on different keys etc. Similarly, mouse and finger movements form a unique pattern. Advances in artificial intelligence have increased the accuracy of pattern recognition systems based on this type of biometric. Keystroke dynamics and/or mouse movements can be used in combination with other types of authentication to implement remote multi-factor authentication systems.
- Engagement patterns: These patterns are based on how we interact with technological components. They could be based on commonly used locations/times of the day, frequency of use, navigation patterns, devices used for access etc. These can be used to distinguish humans from bots and in combination with other authentication methods.
Biometric authentication methods are favourable for users as unlike passwords, they are difficult to fake or steal. Users also do not need to commit anything to their memory. The security of this method, however, depends on the security of the database holding the biometric data. Hacking of such databases can lead to theft of large amounts of biometric data which can then be used with malicious intent. As such businesses who implement biometric authentication on their premises need to establish procedures and conduct due diligence before selecting a service provider to ensure that the biometric data of all users is safe.