The global biometric market could grow from $16.80 billion in 2018 to $41.80 billion in 2023, at a CAGR of 19.99%, according to a MarketsandMarkets report (via PR Newswire). From fingerprint recognition to acoustic, palm vein scanning, and facial recognition technology, biometrics have already been widely embraced by many business sectors.

The growth of biometrics is directly related to increasing concerns about instances of data breaches.  When attackers capture identity credentials they potentially reuse them across numerous sites of sensitivity such as banking websites, social networks, and email providers. Confidential documents could be exploited and used for criminal means – the repercussions are significant.

The fintech market has been quickest to adopt available biometric technologies, as well as digital payments and blockchain methods, for identity confirmation across the customer journey in functions like financial payments and customer onboarding.

Facial recognition to withdraw cash at banks may not be too far off, as shown in use at CaixaBank, Barcelona. Credit: CaixaBank.

Beyond fintech, in these difficult times of Covid-19, biometrics enable organisations of most varieties to minimise risk by reducing human interactions in transactions.

Password management – ‘too difficult’

Passwords are an ancient data protection strategy. Thousands of years before the computer was invented, the Roman military was using watchwords in order to distinguish allies from enemies. As computer technologies have rapidly developed, so has the need for heightened sophistication of password technology.

A password manager is one basic protective mechanism, essentially online due diligence in order to automatically generate unique, long, random passwords, but cybersecurity experts are saying it is not enough. According to av-test.org, only 1 in 10 people use a password manager, leaving many vulnerable to being phished.

Multi-factor checks – ‘no guarantee’

Multi-factor authentication provides a second layer of defence in case a user’s primary credentials are compromised. MFA options include a one-time passcode or Duo Security, Google Authenticator and LastPass.

Yet concerns are being voiced around the future sufficiency of MFA methods. They can be costly, and also remain phishable,  with attackers are in parallel becoming more skilled at developing multi-factor automated phishing tools.

Enter biometrics

Biometrics effectively ramp up the efficiency and sophistication of cybersecurity. First popularised by Apple and other device-innovators some six years ago, biometrics take the form of fingerprint scanners, palm vein scanning and even liveness checks – where electrical conductivity or recorded vein pulses or eye blinks are required before entry or access is permitted.

Liveness detection technology is advancing as a means to further reduce friction in the authentication process. Credit: BiometricUpdate.com.

Whereas with passwords there is a finite number of options that hackers can hypothetically guess or phishers can con you into sharing, biometrics are much more difficult to crack. In order for your biometric identity to be compromised, you would have needed to share your specific features.

This complexity is increasing with 3D biometric technology that enables multiple biometric factors to be scanned, increasing the difficulty of user impersonation.

Not only are biometrics very secure; on a simple level they’re built to improve the user experience.

Most smartphones, such as the latest iPhone edition, now use face recognition to unlock phones – having cameras capture an image of the user’s face and match it to the device.

Apple’s iPhone now has interactive, multi-angled scanning. Credit: Apple.

Yet even these supposedly unique features do not guarantee full security.

Fake fingerprints and facial images can be created.  Android phones have recently updated their facial recognition technology to cater to 3D camera depth, with previous 2D facial recognition used on virtually all Android phones able to be fooled by a high-resolution photo – and chastened for being “largely security theater”.

The approach of combining passwords and biometrics in order to counter threats is being well received by the cybersecurity community. Duo is a popular example that has constructed a proof of identity audit that requires the user to be in possession of a device holding a secret key and also to use a biometric verifying their identity on that device.

Questions of intent

Evidently, not all of us are on board with biometrics. Building market acceptance of biometrics will inevitably involve governments and businesses being transparent about the effectiveness of their biometric security options.

Contrary to fears, when we use our fingertip or face to unlock our computer or log into a website, we’re typically not actually passing on biometric information as we would with a password. The biometric actually locally unlocks a secret key held on the device, and then that security key is used to log in.

A leading authentication standards body – the FIDO alliance – has been established that specifies a required certification to counter attack strategies: of no more than 3 in 100 failure attempts by a valid biometric, and no more than 1 in 10,000 success attempts by an invalid biometric. Keeping the former low is necessary to usability, but keeping the latter low is critical for security.

Some companies, like Apple, Hitachi and Fujitsu are already reporting on this.

Apple, for example, provides an outline of its biometrics, encryption and data protection efforts in its 2020 Platform Security Guide, noting some convincing figures. The likelihood of a random person being able to unlock a user’s iPhone or other Apple device is 1 in 50,000 with Touch ID, and 1 in 1,000,000 with Face ID, the guide says.

As the technology develops, the maddening difficulty of recalling your many different passwords looks set to be a thing of the past.