And Why is Identity-Bound Biometrics Different?
Ever since biometrics made its Hollywood debut in international espionage movies, there’s been quite a bit of misrepresentation. The scene of vast digital catalogs housing peoples’ actual images and fingerprints has seeped through the big screen to mold – and misconstrue – our perceptions of biometrics in reality.
If you want to know how biometric authentication really works – keep reading. If the truth behind so many myths and misconceptions piques your interest – keep reading. If the spy-thriller genre is just too much to resist, you can stream “No Time to Die” on Amazon Prime or Apple TV.
Myth #1: Biometrics Can Be Stolen & Reused by Hackers
Reality: Certain types of authentication factors, like ‘something you have’ (hardware token, phone-based methods, proximity cards) and ‘something you know’ (passwords, PINs) can easily be stolen. A biometric cannot. A bad actor can attempt to copy or forge biometric data or try to steal templates out of a server, but that information can never truly be stolen.
Now, you may be asking yourself, “but if it can be copied or faked, what about preventing fraud and "resetting” a biometric that’s been stolen?”
Fair questions to ask. While spy movies depict forging a retinal or facial scan to be an easy feat, that is far from the truth. Enterprise-level biometrics, such as Identity-Bound Biometrics (IBB), will have Presentation Attack Detection (PAD) checks and balances in place to prevent the use of a fake or forgery being used. Also, the biometric data which is centrally stored is strongly protected using encryption, algorithmic manipulation, and other controls to render any stolen biometric data to be rendered useless. Again, the high level of security of IBB does not come from keeping your biometric a secret, but instead from maintaining the integrity of the matching process that occurs each time you scan a biometric and compare it to the originally enrolled template, and in the difficulty of impersonating an individual.
- BIO-key's Identity-Bound Biometrics (IBB) uses patented, world-class technology and algorithms, along with built-in liveness detection to provide foolproof PAD and the highest levels of biometric security. That means imposters cannot use forgeries like scanned pictures or 3D-printed models to fake your identity.
Myth 2: Storing and Managing Biometrics Inevitably Results in a Lawsuit
Reality: While yes, it is true that there have been a handful of lawsuits around the storage and maintenance of biometrics, they have all come as a result of the improper methods used to go about storing and receiving consent to store said biometric data.
For example, in October of 2022, an Illinois jury found that the BNSF Railway Company violated the state’s Biometrics Information Privacy Act (BIPA) by collecting the fingerprints from more than 45,000 truck drivers – without consent.
There is a similar law in California, CCPA, that mandates any entity collecting biometric data must receive end-user consent first and, if they do not, that organization or business can be sued.
The guardrails of laws like CCPA and BIPA are cut and dry, but that does not – by any means – make it inevitable that a lawsuit will be coming your way for storing, handling or managing biometric information. It just needs to be done the right way, with the end-user's privacy in mind.
Identity-Bound Biometrics is built with privacy and security in mind – for both the enterprise/data manager and the end-user. With IBB, all individuals are required to give consent before enrolling themselves and their biometric data and can remove or manage their enrollment how they please. As the organization, you can be confident that you’re compliant with all state and/or federal laws around the collection of biometrics.
Myth #3: Biometrics Are Expensive & Time Consuming to Use
Reality: Just like anything else, biometrics can be expensive – but they certainly don’t need to be. Compared to password-based authentication methods, which cost large organizations up to $1 million each year, most biometric authentication solutions are far more cost-efficient.
With many biometric solutions, including Identity-Bound Biometrics, there is no additional hardware required, like needing to purchase multiple hardware tokens for each employee. Phone-based methods also come with a cost, as many employers are required to foot the bill for a mobile device or data plan. IBB is device-agnostic, so organizations and end-users have the flexibility to choose how they want to authenticate without being forced into purchasing additional, costly items.
In terms of time consumption, an authentication method using biometrics is a quicker and far more efficient approach. A biometric capture and match can accurately verify an individual in less than 2 seconds with statistically insignificant false rejection and false acceptance rates. For Multi-factor Authentication (MFA), the painstaking process of typing in your password and then waiting minutes for a one-time password (OTP) is all too familiar. Instead, biometrics offer a great user experience as a tap of a finger using a fingerprint scanner, a quick palm scan, or facial recognition scan can authenticate the approved user virtually instantly.
The reluctance to swiftly adopt biometric technology for authentication is understandable. It’s new (relatively) and challenges the status quo of phone-based methods and hardware tokens. Anything new and different takes time to a) understand; and b) accept and adopt. With millions of people around the world using device-native biometrics, such as Apple Face ID or Touch ID and Android Biometrics, we’re seeing biometric adoption becoming more widespread. What’s more, a survey conducted by Visa showed that 86% of consumers want to use some form of biometric system for authentication instead of a password-based approach.
Although adoption at the enterprise level won’t be as quick, user authentication with biometrics is trending up – especially with Zero Trust becoming more of the norm. The reality is that cloud-based biometric authentication solutions, like IBB, are the most convenient and secure option for administrators and end-users alike. With Identity-Bound Biometrics, a one-time enrollment makes it easy to use across devices and locations. For admins, the enterprise-controlled environment prevents account handovers to ensure only approved individuals can use account privileges.
If you’re interested in learning more about Identity-Bound Biometrics, explore the datasheet or get in touch with our team that can answer any questions you may have.