What is biometric verification?
Biometric verification is any means by which a person can be uniquely identified by evaluating one or more distinguishing biological traits. These biological identifiers include fingerprints, hand and earlobe geometries, retina patterns, voice prints and written signatures.
Fingerprints are the oldest type of biometric verification. Thumbprints were used on clay seals in ancient China as unique identifiers. The advent of computerized databases and the digitization of analog data took biometric verification to the next level. New technologies have enabled almost instantaneous identification.
How does a biometric verification system work?
The authentication process for biometric data is relatively consistent from one biometric identifier to another.
First, a copy of a person's unique characteristic -- for example, a voice print of a person wanting access to bank account information -- is made and stored in a database. When the person returns to ask the bank a question about their account, ID verification is required. At that time, a new record is captured and compared with the stored one using voice authentication parameters. If the new voice print record matches the one in the database, the person's identity is confirmed.
Cloud technology is often used to make biometric information more accessible and portable. Cloud-based systems enable agencies and organizations to perform biometric identification on any individual, regardless of their location.
Cloud security has improved over recent years, but security vulnerabilities remain. The servers are no more vulnerable than those businesses use internally. However, the attack surface in the cloud is larger because cloud service providers are hosting multiple tenants. Even with effective tenant controls, there is some risk in a multi-tenant cloud.
Where biometric data is stored is important. If a database containing the identification records is compromised, the biometric system tied to the data would be vulnerable, too. A biometric verification system depends on the use of biological characteristics that can't be changed or replicated. If the data tied to the system isn't secured, it could be extracted, deleted or manipulated, undermining the reliability of the system.
Where is biometric verification used?
Biometric verification is used to identify people in all sorts of settings, including the following:
- Financial institutions are using voice recognitions and other biometrics to identify phone callers.
- Healthcare providers are finding biometrics to be a reliable way to identify patients.
- Law enforcement agencies use fingerprints, facial recognition, iris scans and other types of biometric ID to track people entering and returning to the criminal justice system.
- Other government entities are looking into using biometric identifiers in passports and for voter registration purposes.
Types of biometric verification
There are several ways to accurately and securely verify a person's identity using biometrics. The following is a list of the more common types of verification systems and the technologies they use to facilitate accurate and reliable user authentication.
Fingerprint ID is one of the most common forms of biometric authentication because of its reliability, convenience and historical success. Almost all smartphones use fingerprint identification to quickly verify the user's identity.
The reliability of this technology comes from its lack of replicability. The average person would find it hard to manipulate another person's fingerprint to access a device or physical location. Even the fingerprint hacks reported in 2016 required access to not only the fingerprint of the individual, but also a sophisticated 3D printer.
Facial recognition maps facial features and compares them to stored facial biometric data to authenticate a person's ID. This is one of the most common verification methods because of the number of unique points on an individual's face.
Apple Face ID technology scans and verifies iPhone users. It projects and analyzes more than 30,000 invisible dots to create a depth map and infrared image of a face. Using bionic chips, such as the A11 and A12X Bionic, Face ID transforms the depth map and the infrared image into an easily stored mathematical representation of facial characteristics.
As effective and convenient as it is, facial recognition technology has some weaknesses. During the 2019 Black Hat conference, researchers demonstrated how Apple Face ID could be hacked in less than 120 seconds. The researchers took advantage of two security vulnerabilities in Apple's biometric verification process. The first was the accuracy of Face ID's liveness detection. Liveness detection is the facial recognition technology's ability to determine if a user is alive or awake to prevent the use of masks, fake heads, or sleeping or unconscious users.
The second vulnerability was the iPhone's inability to accurately map the eye area of users wearing glasses. The researchers created glasses with opaque lenses and faux irises, placed them on a sleeping user and unlocked their device without their permission. While this approach isn't easy to replicate, it highlights the limitations of facial recognition.
In addition to smartphones, facial recognition is used as physical security in buildings to limit access to authorized individuals. As this technology becomes more affordable, its range of applications will increase.
Iris and retina pattern recognition
Like fingerprints, iris and retina patterns are unique and diverse, which makes them a reliable biometric identifier. An iris scanner can collect as many as 200 unique biometric features. Given the strength of security and reliability of this form of identification, banks are using iris and retina pattern authentication methods to verify ATM (automated teller machine) users. The U.S. military has used iris scanning technology for more than 15 years to screen people entering military facilities in Iraq and Afghanistan and to identify and track detainees.
Voice waveform recognition
Physical features aren't the only form of biometric authentication. A person's voice can be a unique biometric indicator that organizations can utilize to authenticate users. Many financial institutions, for example, use voice recognition to identify clients over the phone. Phone calls are a common phishing technique used by threat actors to extract assets or information. Voice recognition can help reduce the success rate of criminals attempting to pose as known individuals.
Nuance Communications Gatekeeper uses voice biometrics technology to confirm the age of callers. The purpose of this technology was to identify elderly customers to prioritize them on call lists during the COVID-19 pandemic.
Voice waveform recognition has limitations, however. A threat actor could record the voice of a user and replay it for the voice recognition technology. Despite this, it is still an effective way to segment customers. Voice-based technologies, like Siri, Google Assistant and Alexa, all use some form of voice biometrics. For example, Google has users repeat a series of phrases to be able to recognize their voices when they speak certain commands.
Earlobe and hand geometry identification
Hand and earlobe geometry are both used to ID individuals measuring finger length and the distance between various parts of the hand. However, hand geometry changes with age and requires regular database updates. Earlobe geometry is one of the few biometrics that does not change with age.
DNA (deoxyribonucleic acid) matching
Genetic material from an individual can be compared with existing DNA databases to verify a person's identity. This method is commonly used in criminal investigations for forensic purposes. A suspect's DNA profile is compared with DNA evidence to confirm their involvement in a crime. It is the most accurate approach to identity verification but also the most intrusive.
Scans of finger veins are used to verify individuals' identity. The vascular pattern in a person's finger can be compared to data that was previously obtained to make an identification.
Signatures are one of the least reliable biometric verification methods. Signatures are vulnerable to replication and manipulation, but they are useful as an additional layer of authentication.
The inconclusive resolution of the "Zodiac Killer" case is largely attributed to the subjectivity and inaccuracy of handwriting analysis. The self-proclaimed "Zodiac Killer" sent letters to the Federal Bureau of Investigation throughout the 1960s and early 1970s. These letters could never conclusively identify the killer because of the lack of handwriting analysis technology.
Signature analysis can identify instances of identity fraud where the signature attempt does not match existing records. Therefore, it exists more as a forensic tool than an immediate form of verification.
Various industries are considering how biometric verification could be used to redefine access controls. Find out how multifactor authentication could use biometrics in the future.