Michael Barrett works as Chief Security Officer for PayPal. He’s also the president of the Fast Identity Online (FIDO) Alliance. According to reporting from MacRumors, Barrett said that a large technology provider in Cupertino, Calif. would soon release a phone with a functional fingerprint reader. That company, of course, is Apple, and the product is rumored to be the iPhone 5S.
Apple’s adoption of a fingerprint reader could bring biometric identification into the mainstream. Many organizations use two-factor authentication, which utilizes something that the user has, such as an ID card or smart card, and something that a user knows, such as a password or PIN. Biometric identification requires something that the user is, which could include a fingerprint, voiceprint, iris scan or some other identifying biological marker.
How Biometrics Works
The SANS Institute describes a four-step method for implementing biometric authentication. The method is general enough to apply to a wide variety of biometric markers.
- Enrollment. During the enrollment process, the system collects a biometric sample, extracts the data and constructs a template for the user. In a facial recognition system, for example, a camera could photograph a user’s face, capturing a variety of facial expressions in a number of light levels. The application would then extract certain aspects of the face and convert them into mathematical code. Then, a high-quality template of the user’s face is constructed.
- Storage. Organizations can store user templates on a biometric device, in a centralized database or on a portable token like a smart card. The best system for organizations is to store templates both at the device level and in a centralized database. That way, if something happened to the reader, the company would have a backup for the user templates within the centralized database. Also, if the network goes down, backing up templates at the device level would keep biometric devices up and running.
- Matching. Many biometric devices allow a company to choose how many authentication attempts that they will allow users to have. Also, some devices update the template with each authentication attempt to account for aging, cuts or other changes to the sample.
- Audit trail. Storing data about authentication attempts will help to pinpoint security issues. If multiple attempts are required to authenticate, then companies can fine-tune the process to reduce the inconvenience to users.
Pros and Cons of Different Biometric Systems
Many organizations want to know which biometric marker they should use for authentication. Fingerprints, voice authentication and face recognition are all options, and each has advantages and disadvantages.
Fingerprint scanners have been around for about a decade, but their accuracy and cost-effectiveness have significantly improved over time. However, injuries that disrupt the fingerprint pattern, like burns and cuts, can cause authentication problems. Other substances like ink, stains, sunscreen, moisture and lotion can cause detection problems on some fingerprint scanners. Additionally, people who play instruments or work with their hands may not have clear fingerprints that a scanner can read.
Programs like Siri have made voice recognition technology mainstream on smartphones. However, voice authentication presents some problems. Background noise, laryngitis or environmental factors can reduce accuracy. Also, voice recognition technology can be manipulated with recordings, and a voiceprint stored remotely is vulnerable to theft.
Face recognition is vulnerable to minor changes like bad lighting, accessories, smiles or unrecognized facial expressions. Iris testing is more accurate and also cheaper, but an iris pattern can be changed by medications or dilation during eye exams. Also, iris authentication may be vulnerable to photographs or contact lenses printed with fake irises.
Many people are fearful that storing biometric data invades their privacy. Biometric data may also reveal medical conditions or habits, like drug use, that users don’t want their companies to know. Additionally, although costs have come down, many biometric systems are prohibitively expensive. As discussed earlier, biometric scanners can be vulnerable to hacking and impersonation. If a user’s biometric marker is hacked or altered, then the user has no way of being enrolled back into the system.
The Bottom Line
If Apple does release fingerprint recognition on the iPhone 5S, then you can probably expect biometrics to become more mainstream. However, biometrics isn’t a panacea, and multi-factor authentication methods should still be in place to guarantee security.