The days of remembering passwords and scanning keycards might be coming to an end. Instead, we’ll simply use biometric traits such as our voices, faces, or hand geometry for everything from gaining building access to purchasing groceries.
Biometric authentication is a convenient method of confirming identity without the need to remember passwords or carry physical items such as a keycard. Biometric authentication uses unique physical or behavioral characteristics to confirm identity and approve access to systems, devices, or locations.
In general, authentication methods take one of three forms:
Something known to you (e.g., password, answer to security questions)
Something possessed by you (e.g., mobile device, token, keycard)
Something inherent to you (e.g., fingerprint, voice)
Biometric authentication uses the last form: something inherent to you. Increasingly, biometric authentication methods are being used in multifactor authentication scenarios to supplement and strengthen traditional credential-based authentication or replacing them altogether with passwordless solutions.
Long relegated to high-security facilities and other niche uses, biometric authentication is going mainstream. Smartphones and other devices are shipping with high-quality sensors, cameras, and microphones capable of authenticating fingerprints, facial recognition, and more. The Windows 10 operating system includes Windows Hello for Business, which integrates with Active Directory to allow secure employee network login using fingerprint, face, or iris recognition.
One of the most common uses of biometric authentication is attendance tracking. Some software uses the employee’s device for authentication, while other solutions require specialized biometric authentication devices such as a fingerprint scanner affixed to the entrance of an office.
Biometric authentication generally functions in either one-to-one or one-to-many search modes to confirm a match.
Also known as biometric verification, a one-to-one search is used to verify a claim of identity. A subject claims to be a specific person and submits a biometric trait for confirmation. The system takes that trait and compares it to the corresponding record on file to ensure they match. An example of one-to-one search is when a facial recognition kiosk takes a photo of your face and compares it to the photo in your passport.
Also known as biometric identification, a one-to-many search is used to identify a subject when there is not a claim to identity. A biometric system records a specific trait and compares it to all records on file to determine if there is a match. An example of a one-to-many search is when the police feed a suspect’s photo into a facial recognition database to see if it matches any other photos.
Biometric traits can be categorized as either morphological or behavioral. Morphological biometric traits are measurable external physical qualities, while behavioral traits are dynamic qualities exhibited by an individual's unique movement (such as gait). Morphological traits are generally static, whereas behavioral traits are dynamic (yet consistent over time).
Biometric traits can also be measured actively or passively. Active biometric measurement requires enrollment, such as placing your fingerprint on a scanner. Passive biometric measurement can identify traits without a subject’s active participation in—or knowledge of—measurement, such as gait.
The graphic below shows how the most common biometric traits, also known as biometric modalities, are categorized and measured for biometric authentication (full research available to Gartner clients).
Let's take a look at the most commonly used modalities for biometric authentication, along with explanations about how they are measured.
Face: Facial structure or geometry is measured using cameras ranging from industrial-grade to those found on mobile phones. This can include the entire face or only the periocular area (i.e., area around the eyes).
Fingerprint: Fingers are typically placed directly on a specialized sensor, although optical cameras are also used. Newer ultrasonic sensors capture fingerprints using high frequency soundwaves.
Gait: Gyroscopes and accelerometers embedded in a device are used to monitor how a person walks. This information is measured against historic measurements to confirm the right person is in possession of the device.
Gesture: Gestures are measured using a touchscreen to verify formation of letters, numbers, or symbols. Gestures are usually used as a secondary means of authentication in concert with other modes, such as keystrokes.
Hand geometry: Hand geometry functions more like facial recognition than fingerprinting; a camera or scanner measures a hand's unique geometry such as finger length and width.
Handling: Similarly to gait, handling measures motion and dynamics associated with a user and compares it to historical data. Handling data is commonly combined with gestures and keystrokes to build a larger picture of a user’s profile.
Iris: Unique iris patterns are scanned using a specialized infrared camera or mobile device camera. Iris scans are generally considered to be among the fastest and most accurate biometric authentication methods.
Keystroke: Keystroke rhythm or other dynamics are measured against historical data, and are commonly combined with handling or gesture data.
Palm print: A hand is placed facedown on a scanner that reads its palm print, including its unique lines and ridge structures.
Signature: Signatures can be measured using formation, pressure, and speed.
Vein: Vein patterns in the hand (front or back) or a finger are measured using specialized infrared imaging devices. Eye veins in the sclera (white of the eye) or retina (back of the eye) can also be used, although these modalities are very invasive and require significant cooperation from the subject (used only for the strongest security needs).
Voice: Vocal patterns are measured, often as a voice passphrase, for authentication. Voice authentication is not to be confused with voice recognition, which is used to understand the meaning of spoken words.
Biometric authentication is going mainstream. Already, consumers have become accustomed to accessing their devices using a fingerprint and verifying their passport at the airport with facial recognition. Amazon is planning to roll out a new payment system at select Whole Foods stores that will allow customers to pay for groceries by waving their hand at a biometric scanner.
But how do consumers feel about biometric authentication technologies?
Like most things, it depends. Consumer feelings about biometric authentication vary widely depending on what traits are measured and who is doing the measuring. Our research on facial recognition found that the use of biometric technology for practical security purposes is generally supported by U.S. consumers—other uses are much less popular. This means that biometric authentication’s security applications are well-positioned for mainstream adoption.
We asked consumers which types of biometric data they are comfortable sharing with private companies.
Fingerprints were the only type of biometric data that more than half (62%) of respondents voiced comfort with. Face scans came in second, beating voice scans by five percent. A full 28% of respondents are not comfortable sharing any biometric data with private companies.
These results may be driven by exposure; as consumers are exposed to different types of biometric data collection methods, comfort level increases. To illustrate, 65% of survey respondents have provided biometric data to a private company. Of those respondents, 94% have provided a fingerprint and 33% have provided a face scan, with other response options trailing far behind.
Companies seeking to adopt less common or emerging methods of biometric data collection must take this consumer sentiment into consideration.
We also asked consumers to tell us who they trust with their biometric data. It turns out that trust varies greatly depending on what type of organization is collecting the data. Consumers were split fairly evenly on government use, while employers were the most trusted by far. Tech companies fared somewhere in the middle—although they were highly trusted by the fewest consumers.
Alongside its promise, biometric authentication presents disadvantages that must be considered by any organization contemplating adoption.
Fraudulent attempts to trick biometric authentication tools may occur. Attackers sometimes use masks, photos, or synthesized voices to impersonate authorized persons. Emergent biometric technologies are attempting to solve these issues, but problems persist.
Consider Samsung's smartphone snafu after Qualcomm developed an ultrasonic fingerprint scanner for smartphones that works similarly to sonar tech. Instead of capturing an image, the scanner bounces sound off of the finger to identify the fingerprint’s physical properties.
The ultrasonic fingerprint technology was embedded in the screen of Samsung’s flagship Galaxy S10 smartphone, but only a few months after launch a flaw was found in the technology; It could be unlocked by anyone using a third-party screen protector.
Biometric data breaches are especially consequential and leave victims exposed in ways that can’t be easily resolved. In 2019 security company Suprema made headlines when more than a million biometric datasets were exposed. The company’s Biostar 2 lock system is designed to grant physical access to secure facilities using fingerprints, facial recognition, and other authenticators. And Suprema isn't alone. Biometric data breaches continue to unfold around the world.
In the EU, biometric data is protected by the GDPR, which deems it “sensitive” rather than “personal.” That means processing the biometric data of EU citizens without explicit consent is prohibited. Furthermore, the collection of biometric data may require a privacy impact assessment in advance.
In the U.S., the recently effectuated California Consumer Privacy Act (CCPA) considers biometric data the same as any other personal data and thus subject to regulation. Other states (including New York, Washington, Texas, and Illinois) also have biometric privacy laws in place. Any company deploying biometric authentication systems must gain familiarity with existing and emerging biometric privacy laws.
Companies that choose to adopt biometric authentication in particular scenarios should be able to justify its use and explain why it is preferable to traditional authentication methods that are broadly considered less invasive.
Generally, the use of a particular biometric authentication system should be proportional to the risk involved. In other words: an iris scanner might be justified to access a sensitive research lab, but probably not for access to the office break room.
Participants in any biometric authentication system must clearly understand how their biometric data will be used. Biometric data must be stored securely, anonymized when appropriate, encrypted at rest, and deleted when no longer needed. Following these steps will both comfort consumers and mitigate company risk.
GetApp Biometrics Survey, January 2020
GetApp conducted this survey in January 2020 among 487 respondents to learn more about consumer sentiment regarding biometric technologies.
Note: This document, while intended to explain what biometric authentication is, is in no way intended to provide legal advice or endorse a specific course of action.