BUSTED: Five False Claims About Biometric Authentication

Biometrics authentication technology has been growing in popularity because it can securely authenticate customers without negatively impacting the user experience. Fingerprint and facial recognition technology have become cornerstones for authentication in the financial sector, mimicking the rise of mobile banking, but other forms of biometrics including voice and behavioral are also emerging as key technologies. It has been predicted that by 2021 over 18 billion transactions will be carried out with biometric authentication, according to Juniper Research.

The current lockdown situation in many countries across the globe is only accelerating biometric technology’s adoption, as consumers are forced to use digital forms of banking that require a secure method for remote authentication.

Despite this, there are still a number of misconceptions around the security of biometric technology, and how it can be implemented into current processes, which has the danger of stifling adoption. 

So, let’s take a look at the common questions raised when talking about biometric authentication: 

Can A Static Fingerprint or Picture Easily Fool Biometric Authentication?

No, but this is one of the most popular myths plaguing biometric technology, fueled by stories of people bypassing some consumer-grade biometric authentication in lab environments with 3D-printed models, photos of fingerprints, or wearing a mask. 

The truth is, more sophisticated biometric authentication systems have come to market that can now identify whether the presented biometric is digital or manufactured or, instead, from a live human.

Biometrics use active liveliness detection which needs a customer to turn their head or blink, while passive liveliness detection is based on algorithms running in the background to detect whether the biometric sample is that of an actual person or some sort of spoof.

It is easier for attackers to study active liveliness detection because they are more visible, however passive liveliness detection is faster and much less invasive. It also includes more advanced techniques for identifying spoof attacks, making it the preferred choice in most modern deployments of biometric authentication. 

Is biometric data an invasion of privacy? 

Not if it’s used for authentication. Because it requires consumers to willingly set up the authentication system for easier access to their accounts and additional layers of security. In short, the user must opt-in to share their biometric data.

This is completely different than government agencies using facial recognition technology in public for surveillance purposes without the consent of individuals and the associated privacy concerns raised in the media. 

Furthermore, one-to-one facial recognition creates a mathematical representation of someone’s face in order to verify an individual is who they claim to be. Raw images are not stored for authentication, instead the mathematical representation is kept for comparison in future when the user attempts to log-in.

Does biometric authentication have a lower level of trust than tradition login credentials?

No. Unlike credential-based authentication methods such as passwords, PINs and personally identifiable information (PII), biometrics cannot be easily shared or exposed. The number of major data breaches makes credential-only-based authentication much more vulnerable due to the vast quantity of data that has been leaked, stolen or bought on the dark web.

With liveliness detection and anti-spoofing technology, biometric authentication provides a greater level of trust because the biometric sample is connected to the individual in-the-flesh at the time of authentication.

A report from Gartner on biometric authentication revealed that passwords are increasingly unreliable and adoption of third-party biometrics such as face, voice and other methods are being adopted, especially for access from mobile devices, since third party modes of authentication offer better trust and accountability.

Is biometric authentication viable long-term as people get older and their physical features change?

Yes, it is. Even though a person’s facial features or voice changes slightly over time, , the changes to these features would need to be significant and that would take a fairly long period of time to take place. This makes it a non-issue for most user authentication applications as they are dynamic and frequently update the user’s biometric data in order to track the changes over time. 

Additional measures, such as providing a second fingerprint, are available in some solutions so that if the first method fails, they can still gain access to their device. The best approach to authentication is a layered one as it provides enhanced security.

Does biometric authentication only work if the user is already known? 

Biometric authentication uses a person’s known unique characteristics to determine their identity, however there are additional use cases for biometrics that help to improve an organization’s security and help spot fraudulent activity. User’s actions and the way they interact with their device – such as the angle they hold their phone or the patterns of their typing – can be analyzed continuously to help verify their identity. 

This is done in the background and analyzes the user’s interactions with a previously developed profile of the individual, also known as a “behavioral fingerprint”. On the other hand, if the user is not known, the individual’s interactions with the device can be compared with what is typical for a wider population. Therefore, behavioral biometrics can help determine the likelihood that the actions performed were from a legitimate user. If the similarity score is high, then the organization doesn’t have to be very concerned about the identity or intent of the user. Whereas if the similarity score is low, additional layers of risk and fraud detection are required.


By Sam Bakken, Senior Product Marketing Manager at OneSpan

Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.