Biometrics Authentication: The Good, The Bad, And The Ugly Face

Bill Kine

Passwords, ugh. You know the drill: 12 characters, caps and lower case, at least one special character, and one or more numeric digits. Be sure to change the password every 60 days, and never repeat a previous entry. Also, make sure you always use a different and unique password for work, social media, personal email, online banking, medical records, Amazon, Netflix, and all other services. Let’s not even talk about the added inconvenience of multi-factor authentication (MFA). … As the 1960s song says, “There’s got to be a better way.”

Just how secure are these passwords? Well, consider that we all frequently receive messages indicating that we need to reset various passwords that may have been compromised – so they’re clearly not that secure. Which means, once again, we must begrudgingly create new mnemonics containing our kids’ birthdays, pets’ names, or our favorite sports teams (I may or may not be guilty of the last one myself!). Again, there’s got to be a better way.

Biometrics to the Rescue: What if passwords could be replaced with a wholly unique identifier that users don’t ever have to memorize, change, or reinvent? And what if this also eliminated the vulnerabilities associated with weak, stolen, or shared passwords? Biometrics can accomplish all of these objectives! Biometrics are unique physical traits, such as fingerprints, iris scans, or facial recognition. These authentication methods are already commonly used for individual smartphones, PCs, and tablets. This technology can be expanded to provide network and server access.

The Good: The benefits of biometric-based authentication are quite numerous:

  • Improved security (since biometrics are difficult to steal, forge, or copy)
  • Elimination of cumbersome passwords
  • User convenience
  • Lower help desk costs (since they won’t have to manage and reset passwords)
  • Enhanced data protection and compliance with security regulations
  • Biometrics can be used in conjunction with multi-factor authentication (MFA) if desired
  • Non-repudiation: Biometric logs make it more difficult for an individual to deny that they are responsible for a specific action or transaction

The Bad: While biometrics solve many problems, they also create some new unforeseen issues and challenges. First and foremost among these are the privacy concerns associated with storing (and possibly sharing) highly personal information. This can also raise potential legal and ethical issues regarding both consent and data retention. Additionally, local cultural or social mores might need to be considered. There are also well documented issues and occurrences of racial and gender bias in early facial recognition implementations.

Biometrics can certainly improve an organization’s overall security profile, but they are not foolproof. The authentication systems can generate false positives or negatives, both of which are quite frustrating. An injured finger, an identical twin, or even atmospheric conditions can all affect the intended performance of the system. A high-quality photograph might even be able to spoof the system. And finally, if the authentication database is ever stolen or hacked, it can lead to serious consequences because, unlike passwords, biometric data cannot be changed once compromised.

Wrapping Up: Biometric authentication has a lot of potential, and quite a few organizations are already using this technology to improve their security and simplify network access procedures. In order to realize all of these benefits, the early adopters tend to incur rather high implementation costs. Furthermore, they have to navigate a technology that doesn’t yet have any defined standards for accuracy, implementation procedures, or interoperability. These early adopters will also need to overcome potential privacy, ethical, and even legal concerns.

In short, biometrics is a better way! But it is still in its infancy, and many exciting advances can be expected over the next few years.

Want to be featured on ChannelBytes?