AI facial recognition" width="1024" height="683" />AI facial recognition" width="1024" height="683" />
Biometrics are physical or behavioral human characteristics to that can be used to digitally identify a person to grant access to systems, devices, or data.
Examples of these biometric identifiers are fingerprints, facial patterns, voice or typing cadence. Each of these identifiers is considered unique to the individual, and they may be used in combination to ensure greater accuracy of identification.
Because biometrics can provide a reasonable level of confidence in authenticating a person with less friction for the user, it has the potential to dramatically improve enterprise security. Computers and devices can unlock automatically when they detect the fingerprints of an approved user. Server room doors can swing open when they recognize the faces of trusted system administrators. Help desk systems might automatically pull up all relevant information when they recognize an employee’s voice on the support line.
However, companies need to be careful about how they roll out their biometric authentication systems to avoid infringing on employee or customer privacy or improperly exposing sensitive information. After all, while it’s easy to issue a new password when the old one has been compromised, you can’t issue someone a new eyeball.
Authentication credentials such as fingerprint scans or voice recordings can leak from devices, from company servers or from the software used to analyze them. There is also a high potential for false positives and false negatives. A facial recognition system might not recognize a user wearing makeup or glasses, or one who is sick or tired. Voices also vary.
People sound different when they first wake up, or when they try to use their phone in a crowded public setting, or when they’re angry or impatient. Recognition systems can be fooled with masks, photos and voice recordings, with copies of fingerprints, or tricked by trusted family members or housemates when the legitimate user is asleep.
The scourge of AI deepfakes is also casting doubt on the reliability of biometrics for authentication. Research firm Gartner predicts that “by 2026, attacks using AI-generated deepfakes on face biometrics will mean that 30% of enterprises will no longer consider such identity verification and authentication solutions to be reliable in isolation.”
Experts recommend that companies use multiple types of authentication simultaneously and escalate quickly if they see warning signs. For example, if the fingerprint is a match but the face isn’t, or the account is being accessed from an unusual location at an unusual time, it might be time to switch to a backup authentication method or a second communication channel. This is particularly critical for financial transactions or password changes.
A biometric identifier is one that is related to intrinsic human characteristics. They fall roughly into two categories: physical identifiers and behavioral identifiers.
Physical identifiers are, for the most part, immutable and device independent. These include:
Behavioral identifiers are a newer approach and are typically being used in conjunction with another method because of lower reliability. However, as technology improves, these behavioral identifiers may increase in prominence. Unlike physical identifiers, which are limited to a certain fixed set of human characteristics, the only limits to behavioral identifiers is the human imagination.
Today, this approach is often used to distinguish between a human and a robot. That can help a company filter out spam or detect attempts to brute-force a login and password. As technology improves, the systems are likely to get better at accurately identifying individuals, but less effective at distinguishing between humans and robots. Here are some common approaches:
Some users might not want companies collecting data about, say, the time of day and the locations where they typically use their phones. If this information gets out, it could potentially be used by stalkers or, in the case of celebrities, by tabloid journalists. Some users might not want their family members or spouses to know where they are all the time.
The information could also be abused by repressive government regimes or criminal prosecutors overstepping boundaries. Foreign powers might use the information in an attempt to influence public opinion. Unethical marketers and advertisers might do likewise. In 2018, a fitness app was discovered to be collecting information about user locations and exposing it in a way that revealed the location of secret U.S. military bases and patrol routes.
Any of these situations could potentially lead to significant public embarrassment for the company that collected the data, regulatory fines, or class-action lawsuits. If DNA scans become widespread, they give rise to a whole new area of privacy concerns such including exposure of medical conditions and family relationships.
The security of the biometric authentication data is vitally important, even more than the security of passwords, since passwords can be easily changed if they are exposed. A fingerprint or retinal scan, however, is immutable. The release of this or other biometric information could put users at permanent risk and create significant legal exposure for the company that loses the data.
At the end of the day, every company is responsible for its own security decisions. You can’t outsource compliance, but you can reduce the cost of compliance, and the possible repercussions of a leak, by picking the right vendor. If a small or mid-sized company uses, say, Google’s or Apple’s authentication technology and there’s a security breach with Google or Apple, it’s likely Google or Apple will get the blame.
In addition, companies that don’t keep credentials on file have some legal protections. For example, many retailers can avoid substantial compliance costs by keeping their systems “out of scope.” Payment information is encrypted right at the payment terminal and goes straight through to a payment processor. Raw payment card data never touches the company servers, reducing both compliance implications and potential security risks.
If a company needs to collect authentication information and keep it on its own servers, best-practice security measures should be applied. That includes encryption both for data at rest and data in transit.
Encryption is not an absolute guarantee of security, of course, if the applications or users that are authorized to access the data are themselves compromised. However, there are a couple of ways that companies can avoid keeping even encrypted authentication data on their servers.
IDC predicts that European companies will spend $6.1 billion on biometrics solutions by 2026. Driven largely by efforts around automation and digitization in both employee experience and customer experience, biometrics will replace more traditional authentication and identification methods.
These are the top enterprise use cases where businesses plan to invest in biometrics, according to the IDC research:
Biometrics use cases and investment focus varies by industry. In finance, for example, biometrics investments will go to providing a more streamlined customer experience while also improving fraud prevention and detection. In transportation, smart ticketing will help to speed processing time at various checkpoints, like baggage drop and airport security. And in manufacturing, investments in biometrics will be focused on employee experience, including time tracking and access control.
The most common example of a local authentication mechanism is the hardware security module in a smartphone. User information — such as a fingerprint scan, facial image or a voice print — is stored inside the module. When authentication is required, biometric information is collected by the fingerprint reader, camera or microphone and sent to the module where it’s compared to the original. The module tells the phone whether or not the new information is a match to what it already had stored.
