Biometric Authentication: Best Practices

Today, the usage of biometric authentication in a corporate environment is discussed quite often. However, at the same time, it is still can be considered new since it is just starting to really gain momentum. As a result, those organizations that are going to explore and use such an authentication system face many incomprehensible nuances, to which various myths are added.

First, let us define the terms and also discuss the advantages and disadvantages of biometric authentication in a corporate environment. 

Biometrics and Authentication

Biometrics is often an identification technology that has a rather indirect relationship to authentication. On the other hand, biometrics can be used as an authentication factor.

It should be borne in mind that these are pretty complex and expensive technologies if they are implemented with high standards. Therefore, they should be used only in cases where it is difficult to do without them or when there are sufficiently high risks; for example, in the event where we need continuous user identification. Let us say a user was authenticated and then switched places with someone else who continues to carry out the duties of the initial person endowed with the appropriate rights. 

In general, authentication is not only related to computer systems. Any person throughout his life must confirm who he is and that he has the right to perform specific actions. Each time we use three factors: what I know, what I have, and what I really am. Earlier biometrics was often used as the sole factor of authentication. Today, biometrics is rarely used as the only factor of authentication. Nevertheless, nothing prevents it from playing just such a role.

Perhaps in some cases, it would be better to use the term "verification" rather than "authentication." After all, we are talking about authenticity, and not about a one-to-many comparison. 

In the near future, several biometric factors will be used since none of the factors alone provides a 100% guarantee of recognition. VPNBrains and many other security experts suggest expanding the list of factors. Multimodal biometrics is aimed at reducing the frequency of false identification. 

It should be noted that when we use such a factor as fingerprints, we identify the physical shell of a person but lack understanding of his mental personality. The latter can be distinguished, for example, by the presence of mind and memory. Therefore, it is not entirely correct to limit ourselves to physical factors. It is necessary to identify a mental personality. 

Biometric Authentication Methods

Fingerprint and face scanning (both 2D and 3D) are the most common methods used in the field of information security. In addition, the pattern of palm veins and the iris are used. Among the exotic methods of biometric authentication, experts identify scanning the geometry of the nose and ear. This is all that concerns physical characteristics. If we talk about behavioral characteristics, we can note the voice, the analysis of typewriting, and mouse movement. 

Any biometric system initially consists of two subsystems: the actual recognition subsystem and the subsystem that determines the human being. The latter should determine that a living person is standing in front of it and not a plastic model or a photograph. 

The customer should be careful when choosing a vendor. Some vendors emphasize the use of 3D. It is important to find out why they have 3D: whether it is for recognition or for determining that the system is dealing with a human being. 

How To Deal With Biometric Data Leaks

What do you do if the biometric data falls into the hands of third parties? You cannot simply reset/change the fingerprint like you can the password. All experts recognize the presence of such a drawback, which is initially logically incorporated into biometrics, but let us remember that the border system of all countries is based on biometrics. The photo in the passport is verified.

Today, the lack of accumulated practice of using biometrics in cyberspace does not allow making an unequivocally negative forecast for data breaches. In the event of a biometric data leak, for example, replacing another factor, such as a cryptographic key, can help. 

Scenarios for Using Biometric Authentication

The most common scenario of using biometric authentication is the access control system. It uses a fingerprint, palm vein, and iris scanning. Modern smartphones also represent a successful implementation scenario. The retail industry and anti-terror services use video analytics to identify potentially dangerous subjects. 

Fingerprint scanning is the cheapest implementation of biometric identification. It is also the most unreliable technology. It is more expensive to identify a user by the pattern of palm veins, but at the same time, security is higher. 

Voice recognition can be installed at a relatively low cost. Its pricing goes immediately after scanning a fingerprint and a face. Today, voice confirmations are widely used to transfer money in banking applications. 

Why Do Organizations Need To Use Biometrics?

There are many cases where organizations cannot do without biometric authentication systems. It is also worth noting that biometrics is often marketed as the most convenient authentication factor. It is helpful for businesses to present biometric authentication as something progressive and “state-of-the-art.” 

How To Choose Biometric Authentication Technology

The choice of a biometric system implies choosing software and hardware components. The main advantage of the biometric system is its convenience. It is very important not to spoil this convenience and to simplify the use of the system for the end-user as much as possible. 

It is worth paying attention to the shortcomings of biometrics. Here is a simple example: if you cut your finger, the system will not let you in. In this case, preference should always be given to the solution that considers more than just one finger for authentication.

As for the software part, customers often focus on the recognition algorithm. However, you should not rely solely on the rankings of such algorithms since the differences between the first and tenth places can be seen only in laboratory conditions. Therefore, it is better to pay attention to the additional functionality: 

• Does the solution allow continuous authentication?
• Is there integration with other solutions?
• How is role-based access performed?

When considering various biometric identification technologies, it is necessary to evaluate the possibility of using a particular technology in specific conditions. It is necessary to run a pilot project for some time to understand what you will have to deal with. If, after some time, you find that in your conditions response time is important and accuracy is not so important, you should focus on the first parameter. 

Specifics of Implementing a Biometric Authentication System

Today, in some organizations, there is still a rational distrust of biometrics. However, by raising employee awareness, you can gradually convince them of the benefits of biometric authentication systems. To do this, you must first of all talk about the interests of the end-user about how exactly he will benefit from using this technology. 

Unknown things are always scary. Ordinary employees are afraid of surveillance attempts that may rely on biometric data. They are scared to give consent to the processing of personal data due to frequent data breaches. 

Colossal resources are being spent to explain to the people that biometrics is good and safe. Many people already use fingerprint scanners to avoid tapping into their cell phones. A person accepts new technology faster if he gets real benefit from its use. 

What Measures Should Organizations Take To Protect Against Biometric Leaks? 

There are many published recommendations on measures to be taken to protect personal data. As for technical issues, it is good to move away from centralized processing. The storage of biometric samples should be moved to endpoints equipped with trusted hardware devices. 

Biometric Technology Development Forecasts

In about three to five years, given the unbridled enthusiasm in the biometric technology market, it will be implemented everywhere: in classrooms, workplaces, and other fields. After all, this is still the most convenient method of authentication. 

At the same time, some dangers can be seen on the horizon. A digital profile is one of them. Plenty of things indicate that in the near future every citizen will have a digital profile. Biometric identification will go towards identifying a person by external signs: gait, silhouette, manner of working, moving and using, for example, a keyboard. All this will allow us to identify any person accurately. 

Conclusion

Some experts have doubts about the need to impose the use of biometric identification and authentication. One thing we can agree on is that biometrics is convenient, and the most convenient method, as a rule, attracts a lot of interest, even if it is not as secure as its more sophisticated alternatives.