Innovation Insight for Biometric Authentication

Biometric authentication offers unique advantages over other credential-based methods, but there are still significant hurdles to negotiate. IAM- and fraud-focused security and risk management leaders should choose biometric methods where the benefits can justify the effort.

Overview

Key Findings

• Biometric      authentication has a high profile in the market. Biometric methods promise      better user experience (UX), trust and accountability benefits than other      credential-based methods and enable passwordless authentication, alone or      combined with other methods.

• Device-native      biometric methods are almost ubiquitous in new phones, tablets and PCs.      They are readily integrated into mobile apps, browser-based apps, Microsoft      Windows and Azure AD ecosystems, and proprietary authenticator apps for      smartphones.

• Third-party      biometric methods offer greater control over enrollment and configuration,      better omnichannel support, and integration with identity proofing. However,      they are far less widely used, because of implementation, cost, UX and      privacy challenges, both real and imagined.

• Device-independent      third-party biometric methods may address diversity, equity and inclusion      concerns by providing an accessible authentication option for customers      and citizens who are potentially marginalized by a market emphasis on      smartphone, tablet or PC ownership.

Recommendations

Security and risk management leaders responsible for identity and access management (IAM) and fraud detection (i.e., IAM and fraud leaders) should:

• Improve      authentication UX for employees and customers or enhance trust and      accountability by implementing biometrics alone or in      combination with other credentials across a wide range of use cases,      including identity life cycle events, not just interactive login.

• Drive      the broadest acceptance of biometric authentication by reflecting the      diversity of and personal preferences among the target population, being      open and transparent about what data is held and how it is used, and      engaging in outreach to address people’s concerns.

• Fully      address privacy and security needs by meeting regulatory due diligence      requirements, choosing technology that can provide robust data security      and demonstrate genuine human presence, and favoring      privacy-preserving deployment options.

Introduction

User authentication is fundamental to identity-first security and an imperative for IAM and fraud leaders. Authentication must provide sufficient credence in an identity claim to bring account takeover (ATO) and other digital-identity risks within an organization’s risk tolerance.

Unlike the two other types of authentication credentials (knowledge and possession), biometric traits are inherent to a person, thus providing a uniquely human basis for authentication.

Biometric traits cannot easily be shared or stolen, increasing trust and accountability. Their use potentially frees the person from having to remember a password or carry a token, enhancing UX. Biometric traits also provide a robust basis for binding other authentication credentials to a living person via document-centric identity proofing (DCIP).

Description

Biometric authentication uses unique behavioral or morphological traits to provide credence in a person’s claim to an identity that has been established for interactive access to electronic or digital assets.

Biometric authentication typically uses a one-to-one comparison (“verification”) to support an identity claim. Rarely, a method uses a one-to-many search (“identification”) in which the person presents a biometric trait and the system finds one or more candidate matches from a larger population.

Biometric authentication differs technically from nonbiometric authentication, using passwords or cryptographic keys, for example, in two important ways:

• Stochastic variation

• No dependence on shared secrets

•  

Stochastic variation. Captured biometric “sample” data varies slightly from one time to another. Thus, the derived “probe” data will never be an exact match to the “reference” data held for that person, and the comparison process is fuzzy.

Biometric authentication can be deployed in several ways differentiated by where biometric reference data is held and where comparison and matching take place

Biometric authentication can be used as an alternative to another type of authentication. It can be used alone but is often integrated with some kind of token, increasingly as part of Fast IDentity Online 2 (FIDO2) authentication

Benefits and Uses

Biometric authentication (with active modes) can:

• Be adopted in a wide range of use      cases for employee and customer authentication.

• Be used alone or as an element of      MFA.

• Enable passwordless      authentication.

• Improve trust and accountability.

• Improve UX.

Passive modes can:

• Be adopted in online fraud      detection (OFD), reducing false positives, thus improving customer UX.

• Enable continuous adaptive trust      (CAT) within adaptive access.

Risks

Like any other authentication technology, the integrity and availability of data and technology components, and the confidentiality of system data, are crucial.

IAM and fraud leaders implementing biometric authentication must also pay attention to the specific risks enumerated below. These risks are rarely insurmountable, and the cost to mitigate them is typically justified by the security and UX benefits biometric authentication can yield.

Privacy:

• Privacy laws are often seen as a      barrier. Mandated data security controls are seen as a major obstacle but      are only prudent anyway. Compliance might add only bureaucratic hurdles.      Depending on the relevant international and national laws and regulations,      enterprises may be obliged to:

• Perform due diligence       regarding the use of biometric technologies and design       decisions, such as carrying out a legitimate interest assessment       (LIA).

• Implement specific       organizational and technical security measures.

• Properly inform the       people concerned.

• Seek consent from       customers.

• Carry out a privacy       impact assessment (PIA) or similar.

User acceptance:

• Widespread adoption of      fingerprint and face on smartphones has significantly increased user      acceptance. However, some people might still view the use of biometrics as      creepy or otherwise objectionable, due to a variety of concerns, such as:

• The risk of their biometric data       being exposed or used in nefarious ways.

• The fear of being spied on,       especially given the use of biometrics in surveillance.

• Demographic bias (see below) and       potential discrimination.

• Religious, cultural and civil       rights objections.

Presentation attacks:

• An attacker might use a      presentation attack, using some kind of “facsimile” to impersonate the      target. Thus, a robust method must incorporate effective presentation      attack detection (PAD), informally known as “liveness detection/testing.”

• Vendors’ PAD claims require      careful scrutiny. Exhaustive evaluation is beyond the capability of most      buyers. There are some product certification schemes, but these are      inconsistent globally.

• Some PAD techniques can add friction,      eroding UX benefits. Additional authentication factors and signals,      especially within a CAT framework, can further mitigate presentation      attack risks, but may also reduce UX.

No “reset:”

• A common criticism of biometric      authentication is to say, “You can’t reset a fingerprint” (or other      trait), ostensibly leaving it ineffective if an attacker captures or      replicates a sample.

• This overlooks the importance of      live presentation of the trait; that is, the necessity of PAD.

Nonbiometric options:

• Many implementations, such as      WHfB, offer by default a nonbiometric alternative to biometric      authentication, typically a PIN, which cannot provide the same confidence      or accountability. However, this might be acceptable if UX was the      main driver.

Performance:

• Usability and reliability vary      across modes, populations and use cases, limiting the success with any      single technology.

• Mask-wearing mandates during the      COVID-19 pandemic have inhibited the use of face, driving interest in      alternative modes, including periocular face.

Demographic bias:

• Performance can vary      because of physiological differences across human clines or limitations of      comparison and matching algorithms, especially in methods using machine      learning when training data hasn’t reflected the diversity of the intended      user population.

• Such demographic bias      can discriminate against certain groups, impairing security as well as UX.

Limitations of device-native biometric authentication:

• Inconsistent UX for all people,      especially those without biometric-enabled devices.

• Matching threshold set by device      vendor, likely favoring UX over security.

• Indeterminate (undeclared)      performance and PAD characteristics.

• Lack of control over enrollment.      (WHfB is a notable exception.)

• Dependence on device power-on      passcodes (i.e., a nonbiometric authentication option).

Platform attacks:

Replay and injection attacks are more scalable than presentation attacks and likely present a greater risk.

IAM and fraud leaders must assess vulnerabilities and risks introduced in the design, construction, operation, misuse or incorrect configuration of the platform.