Quantumrun

IMAGE CREDIT:

iStock

Two-factor biometric authentication: Can biometrics really enhance security?

Two-factor biometric authentication is generally considered safer than other identification methods, but it also has limitations.

Author:
Author name
Quantumrun Foresight
October 23, 2023

Insight Summary

As smart devices become more advanced, they provide new and more accurate ways to enable biometric authentication. These features include higher resolution cameras, infrared technology, and iris scans. Most smart devices now have a fingerprint lock and face ID for two-factor biometric authentication (2FA), which is a lot more secure than just passwords. However, 2FA is still not as foolproof as security providers want it to be.

Two-factor biometric authentication context

Biometric 2FA is a subset of the multi-factor authentication (MFA) security method that combines as many as three factors to verify identification. 2FA aims to demonstrate that a user seeking access to an organization's application or service is who they claim to be by using two independent sources of evidence. Some examples of biometric evidence are fingerprints, retinal and facial scans, and voice patterns. These elements are combined with other factors like OTPs (one-time passwords, usually codes sent as SMS), passwords, and personal identification numbers (PINs). What 2FA and MFA provide for companies is enhanced security, as most people don’t know how to create particularly strong passwords.

Aside from ensuring that employees’ identities are verified, companies are mandated by several organizations to apply MFA. For example, the global policy Payment Card Industry Data Security Standard (PCI-DSS), which regulates the collection and storage of credit card holder information, requires fintechs or financial institutions to apply 2FA security to their networks of employees, administrators, and third-party providers. Additionally, internet banking apps and providers are highly encouraged by the US Federal Financial Institutions Examination Council to integrate 2FA measures in consumer online banking services.

Disruptive impact

Several types of technology support biometric 2FA. The first is second channel authentication, which enables people to use their mobile phones as security tokens through SMS codes or interactive telephone calls to verify voice samples. This method is often used in online shopping. Another technology used is hardware tokens, which can be carried in pockets and contain digital certificates or fingerprints. Other devices include fingerprint, palm, hand geometry, iris, and retina scanners, voice prints, and keyboard dynamics (the speed at which an individual types). Among these biometric scanners, most experts agree that eye scans are the most accurate methods. Facial scans, while generally effective, can be influenced by angles and expressions.

Despite the advantages of biometric authentication, there are also some limitations. Experts point out that biometric 2FA often authorizes the device, not the user. As a result, false positives can occur where someone is incorrectly identified as the rightful owner of a device or account. Another disadvantage is that biometrics can be spoofed, meaning someone can create a fake biometric sample that tricks the authentication system. Finally, biometrics can also be hacked and stolen, leading to more severe data privacy violations than password leaks. Although 2FA is more secure than just passwords and PINs, this method is not enough for modern organizations. Likewise, organizations should consider using a centralized database, where identities can be securely stored and authenticated rather than relying on device-based authentication.

Implications of two-factor biometric authentication

Wider implications of two-factor biometric authentication may include:

More companies choosing to implement biometric 2FA instead of current MFA methods, which combines at least three identification samples. However, many people might find such security protocols too cumbersome and intrusive.
More people hesitating to provide biometric samples as devices become more intrusive.
Increasing investments by criminal syndakits and intelligence agencies exploring methods to hack biometric MFA incidents, which may eventually lead to more damaging data theft and attacks on company systems.
Companies being regulated and mandated to reveal how they collect and store biometric information, including how long they will keep these samples in their databases.
The elderly being unable to use biometric 2FA because of technological challenges and (in some cases) the inability to give consent.
Continued advancements by tech firms to safeguard biometric 2FA data and simplify the onboarding and use of biometric 2FA among the general population and within corporate environments.