The introduction of Apple’s TouchID made fingerprint readers widely available for a large user population. Today, there are countless applications (including mobile banking apps) making use of this biometric authentication mean. In addition, other biometric authentication means are appearing in online applications. The USAA (serving millions of US military members and their families with insurance, banking and investment services) with its application of face and voice recognition technology in mobile banking [1] is one prominent example, that is cited often.

These examples illustrate that biometrics has become a hot topic for online businesses over the last two years. In our daily consulting work we experience that our clients are also very interested in biometrics and often have big expectations. And of course, biometric solutions make huge promises regarding convenience, secure identification of a person, introduction of a third authentication factor, but also regarding perceived security. So the question needs to be asked: is biometrics really the silver bullet as it is considered by many business stakeholders?

I’ve already mentioned positive aspects, but of course there are also issues associated with biometric authentication schemes. Examples include false negatives and positives, privacy concerns, and the fact that a biometric factor is non-renewable (unlike e.g. a password).

When evaluating biometrics there is an additional topic which is very important but often neglected. It all orbits around the question: who controls the sensor?

The sensor is the piece of hardware that records the physical properties of the person that wants to get access to a system. For example, this can be a camera, microphone, or a fingerprint scanner.
Now, imagine a physical access control, e.g. an entry into a datacenter. Operating companies often install a biometric sensor e.g. a vein or iris scanner to verify the identity of personnel that wants to enter into the sacred halls. In this case, the operating company installs the biometric sensor, it owns it, and consequently it controls it and can mitigate abuse. Having control over the sensor allows to ensure that the data received from it is not replayed, fabricated, or compromised in any other way.

Let’s compare that with a fingerprint sensor on a smartphone. In this case, the sensor is controlled by the smartphone and its user. When the sensor is used to grant access to the phone itself this is comparable with the above example (granting physical access to a datacenter). However, a remote service provider has no possibility to verify the integrity of the sensor. It even cannot verify, if such a sensor exists on a particular device. The server side solely relies on hope that the biometric data was captured by the sensor on the remote device and sent directly to the server. An attacker who could intercept this biometric data sent from the smartphone to the remote server could easily replay it to fake an authentication without even using a fingerprint sensor.
In an alternative scenario, the sensor already makes the decision regarding the authenticity of the biometric data. It then only sends its decision result to the server. Here it’s even more obvious that the server relies solely on its trust in the sensor on the remote device.

These examples illustrate the importance of sensor control for biometric authentication. Without sensor control, the authentication data arriving on the server side can have an arbitrary and non-biometric origin. From this, it can be concluded that employing biometrics in a setup, where you don’t control the sensor is virtually impossible.

As you can see, using biometrics for authentication has its pitfalls and it is important to properly evaluate the situation and the biometrics schemes that are solution candidates. In my opinion there are three main points that need consideration:

  1. Make sure, you really understand the concrete mechanisms in particular the way a sensor captures information and how the authentication decision is made. Don’t let yourself fool by any kind of woodoo proprietary and secret magic

  2. The location and control of the sensor is key

  3. Keep in mind, controlling access to a device, e.g. a smartphone or a building door is the main area of application for biometrics


[1] https://www.usaa.com/inet/pages/enterprise_howto_biometrics_landing_mkt?akredirect=true