Biometric authentication is identification of a person by measuring some aspect of what they “are”. Fingerprint, hand geometry, and eye scan (retinal or iris) measurements are all means of biometric authentication. There are others as well, including behavioral measurements such as typing rate, voice pitch and patterns, and others. Biometrics is used in information security for identity management and access control. Even DNA matching can be considered a form of biometric authentication, although for purposes of this discussion, we are examining real-time biometrics for information security.
Biometrics Pros and Cons
Everyone is unique. A useful biometric method uses a universal attribute–something that everyone possesses. But, biological attributes can change. For example, if a person injures their finger the fingerprint may no longer match. Retinal changes are possible. Temporary situations like a hand in a cast are possible too, of course. Any of the biometric means of authentication and the systems designed to use them can be evaluated based on the frequency of false positives and also the frequency of false negatives. Usually for a well designed system both of these are very low, but if they are not, or if the system is not calibrated or the user does not get an accurate initial reading for their identity during enrollment it can be problematic. Different systems have various levels of performance in different areas.
The plus side is that biometric means of identification are very difficult to impersonate. Despite what we see in spy and espionage films, copies of fingerprints, and even far more outrageous means of masquerading as another individual are more difficult than made out to be. Galvanic response, temperature, and simply the complexity of the scan make these sorts of bio-hacking extremely unlikely and the stuff of fiction. The real strength of such systems is the uniqueness of individuals. Someone can figure out or obtain a PIN or steal a keycard. Couple those with a biometric authentication factor and they become useless to the thief by themselves. Costs of all manner of computer, optical, and electronic technology keep coming down, making the out-of-reach cost of biometrics in the past an affordable option for some businesses now.
Where and Why
The cost of biometric authentication and the effort involved in it has historically meant that it was only used in places where there was need for strong authentication. Most often it is used in two-factor authentication, for example with a PIN, a card, or multi-factor authentication. I’ve had to sign in, swipe a card, use a pin, and have biometric authentication verified for access at some locations. That’s something I had, something I knew, and something I “am” all together. Very strong authentication indeed.
The question for you is: do I really need the additional factor of biometric authentication? What am I protecting and what is its value? Even if the cost is affordable, is the cost, effort, training, and change to work processes worth it? Are you doing it just because it’s cool, or because you need the additional protection? Only you can answer these questions. I find that there are many cases where businesses decide that the status quo for authentication is “good enough”, when they would be better served by two-factor authentication. I advise you to look at all your options.