Biometrics - very good security with almost no password
Blog

Biometrics - better security without passwords?

Fingerprints and facial geometry allow secure and convenient authentication of users. What you need to pay attention to during implementation!
5 minutes
April 05, 2024

Biometrics - security almost without password

  • Identification systems based on biometric data offer a good combination of security and convenience.
  • When introducing biometric systems, increased requirements for the protection of personal data must be respected.
  • Biometric features are difficult to falsify, but should never be used as the sole authentication for access to critical systems.

Modern IT security is no longer thinkable without biometrics. Whether on cell phones or PCs, biometric features such as fingerprints and facial structures are used billions of times every day to log in to devices. These promise security and convenience, as they save users from having to enter complex logins and passwords. But how secure is the technology really? What basics are necessary and what needs to be considered if you want to use biometrics in IT security? This post provides an overview.

How does Biometrics work?

The term biometrics covers a range of different processes. The best known is probably fingerprint recognition, which is used in many smartphones. Since Apple introduced the FaceID system in its products, the recognition of facial geometry via cameras has also become widespread.

There are also other methods that enable biometric recognition. For example, the iris or retina of the eye can be used for identification. The vein pattern of the hand is also suitable and DNA analysis also enables precise identification.

In addition to these common methods, there are also more exotic approaches: For example, there are methods that can recognize people based on their way of walking, their body odor, their signature or their typing behavior on a keyboard.

Four important factors

No matter which method is used, it must fulfill four requirements:

  • Uniqueness: The characteristics must actually only occur with one person at a time.
  • Consistency: The characteristics must not depend on age or environment.
  • Measurability: There must be clearly defined measurement parameters and procedures.
  • Universality: As many people as possible should have the biometric characteristic in question.

Are fingerprints truly unique?

For over a century, fingerprints have been considered the ideal means of uniquely identifying people. The method is based on the as yet unproven assumption that every fingerprint is absolutely unique.

A study from 2024 calls this hypothesis into question. An AI-based analysis of over 60,000 fingerprints has shown that there are significant similarities between the patterns of different fingers.

However, this does not raise any problems for biometrics. This is because the similarities found exist between the different fingers of one and the same person. It is therefore still practically impossible to match two people on the basis of one fingerprint.

The required technology

In principle, all biometric recognition works according to the same method.

  1. First of all, the user must be registered. During this enrolment, all relevant characteristics are recorded that are necessary to uniquely identify him or her.
  2. Templates are created from this data with an algorithm. They no longer contain the raw data recorded by the respective sensor, but only the information required for subsequent comparison. These templates are stored in encrypted form.
  3. If a person is to be biometrically identified later, the new data set (e.g. the finger on the sensor) is compared with the data stored in the template during the matching process. There is practically never an exact match between the data. They are therefore not checked for absolute equality, but for sufficient similarity within a previously defined tolerance.

In addition to an appropriate scanner, such as a camera system, a powerful computer is also required to implement this method. This must not only be capable of carrying out the matching, it must also be able to encrypt sensitive data quickly and securely.

Requirements for companies

When using biometric procedures in companies, it is important that the data collected is actually only used for the intended purpose, for example for access control or for logging into systems. Other data must be removed from the raw data – in other words, only template data may be stored.

Ideally, biometric data should be stored with the employee, for example on a chip card or within a smartphone app. If biometric data has to be stored centrally, it has to be pseudonymized and encrypted.

Important: When introducing biometric procedures, both the works council and data protection officers should be involved at an early stage. Covert recording of employees is not permitted.

How secure are biometric systems?

The level of security varies greatly depending on the method used. For example, there are facial recognition systems that only work with one camera. Some of these can be tricked with a simple photo. Advanced facial recognition systems (such as FaceID from Apple or Hello from Microsoft) therefore use up to three cameras and the associated recording of facial geometry – and thus achieve a very high level of security.

The situation is similar with fingerprint scanners. Simple systems only recognize the pattern of the fingertip, while better sensors measure whether it is actually a finger or just an object with a pattern on it.

In general, biometric methods offer a good compromise between security and convenience. Most systems can be bypassed, but the effort involved is high.

For critical systems, biometrics should never be used alone, but always in combination with other authentication factors (such as passwords, key generators, etc.).

Does biometrics pose a data protection risk?

Biometric data enables the direct identification of persons. Their storing is therefore subject to the Federal Data Protection Act. If the data collected allows conclusions to be drawn about ethnic origin or health status (e.g. iris scan, facial recognition, etc.), they are considered particularly sensitive. The explicit consent of the data subject is required for their collection. Apart from the type of biometric data collected, the information should only be encrypted and, ideally, never stored centrally on a server, but rather in a decentralized manner at the respective user’s location.

The German Federal Office for Information Security (BSI) advises that biometric systems should only be used rarely. Unlike a lost password, fingerprints, facial geometry etc. cannot simply be replaced once they have been compromised. Biometric data should therefore only be stored with trustworthy providers.

It is also important during implementation that biometric data should never be stored as the exclusive access information. The combination with passwords, PINs etc. increases the security and reliability of the login.

Verdict: Biometrics as a good compromise between security and convenience

Used sensibly, biometrics can enhance the security architecture of an organization. User acceptance is high, handling is simple and recognition quality is high. Nevertheless, important points such as data protection, encryption, consent requirements and thorough employee training must be taken into account when introducing biometrics. If these factors are met, biometrics is more secure and convenient than many other authentication methods.

The Cyber Chronicle Newsroom
We keep you posted with the latest news, data & trend topics
Microsoft Sentinel as Azure SIEM - Benefits & Costs
Learn more
AI
Fighting AI attacks: How to protect data and systems
Learn more
Assessment & Advisory
ISO 27001 Certification without delay
Learn more
Assessment & Advisory
Managed Services to counter the shortage of manpower
Learn more
Security & IT Solutions
Workload Security with SASE, this is how it works
Learn more
Cloud Platform Security
DevOps security: Stress test for culture and technology
Learn more
Identity & Access Management
Biometrics - better security without passwords?
Learn more
Cyber Defense
Threat Intelligence - Knowledge is power & security
Learn more
NIS2
NIS2 & ISO/IEC 27001:2022: New controls to fulfill both standards
Learn more
Identity & Access Management
How Privileged Access Management increases security
Learn more
Assessment & Advisory
vCISO - more IT Security through customizable support
Learn more
AI
Cloud Platform Security
AI from Microsoft: Is your company Copilot Ready?
Learn more
NIS2
NIS2 & Risk Management: Are cyber risks really manageable?
Learn more
Zero Trust
Zero Trust - more IT Security through less trust
Learn more
Cloud Platform Security
Protective shield for your cloud platforms: Tips, Tricks, Pitfalls
Learn more
Assessment & Advisory
Security all-rounder CISO: Outsource or hire yourself?
Learn more
We’re here for you
Fill in the form and our experts will get in touch.

You are currently viewing a placeholder content from HubSpot. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

More Information