1. How do biometrics work?

Biometric technology works by comparing a specific part of the human body with registered data for purposes of authentication, identification or health monitoring. Every biometric system is different, but they all operate under the same basic three steps: enrollment, storage and comparison. In the case of authentication, the first time you use a biometric system, it records basic information about you, like your name or an identification number. It then captures an image or recording of your specific biometric trait. Contrary to what you may see in movies, most systems don’t store the complete image or recording, but instead analyze your trait and translate it into a code called a template. The next time you use the system, it compares the trait you present to the information on file. Then, based on that comparison, it either accepts or rejects your authentication request.

2. Why is biometric technology becoming so popular on mobile devices?

To put it simply, biometric technology offers stronger and more convenient security than previous authentication methods. Passwords and PINs can both be compromised or forgotten, and must be changed on a regular basis. Since users are using their smartphones to access their many accounts, having a single strong authentication factor presents an attractive level of convenience while improving security. Because a biometric system is based around who a user is and not what they know or have, it is more intuitive to use than a password – especially considering that the username/password system in place was developed for devices with a QWERTY keyboard – and much more difficult to compromise. Thanks to recent innovations, biometric solutions are becoming increasingly accessible and recent high-profile security breaches have underlined a need for better-than-password technology.

3. What is the difference between visible and invisible biometrics?

The term “invisible biometrics” refers to identifiable biometric data that isn’t obvious to the naked eye. In Mobile ID, these include voiceprint recognition, vital biometrics, walking gait and physical or logical behavior analysis. Visible biometrics on the other hand rely on physical traits like hand and fingerprint patterns, vein images, patterns on a user’s eye and facial recognition.

4. How does identification differ from authentication?

Biometric identification, frequently used in law enforcement and border control, is the process of comparing a user’s live biometric sample with many templates stored in a database in order to see if the subject is listed within the dataset. Biometric-based authentication is the process of confirming the asserted identity of a user by comparing their live biometric sample with a particular record in the database.

Biometric identification may occur without the subject’s consent or even knowledge – such as in police surveillance efforts – whereas authentication generally involves active participation from the end user, who generally initiates the process.

5. How does Mobile ID fit into the Internet of Things?

The Internet of Things is blossoming across the consumer, enterprise, and industrial markets. As the IoT grows and proliferates into all areas of society, Mobile ID solutions offer two major benefits:

1. Mobile ID solutions can help end users interface with smart devices, either from an experience standpoint (the device senses your unique ID and reacts accordingly) or an administrative perspective (using voiceprint and speech recognition to change the settings on a connected device).

2. Mobile ID solutions can offer much needed, network-wide security. As IoT solutions begin to flood into the market, experts are scrambling to find strong security solutions that can protect interconnected networks from sophisticated cyber threats, and mobile identity helps to ensure that end user touchpoints are secure.

6. What is the difference between on-device and in-the-cloud biometric matching?

On-device biometric matching is common across biometrics-enabled smartphones and a growing number of other devices. In this framework, biometric templates are stored in a secure place on the mobile device that can only be accessed by the authentication technology. Data is not transmitted to external servers; instead, the entire authentication process plays out within the device itself. On-device matching is therefore touted as an answer to the privacy concerns that inevitably spring up around biometrics, and as a safeguard against the threat of server-wide data breaches and hack attacks.

In-the-cloud matching has the biometric templates stored on the servers of service providers and institutions requiring a specific, uniform level of security. The biometric is scanned by an end user with their device, sent to the servers of the authentication provider, and authenticated behind a secure firewall. Many believe this approach to be ideal for mobile banking transactions and it has clear benefits in enterprises that allow for BYOD (Bring Your Own Device). Cloud-based biometric matching can theoretically be done from any capable device, meaning end users don’t need to have one particular smartphone at hand in order to authenticate.

7. Can a biometric be stolen?

A biometric cannot be stolen in the same sense as a password or key. That is not to say that they are an infallibly secure technology. Some biometric systems can be fooled into recognizing fake replicas of fingerprints, pictures of faces or voice recordings. This fraudulent practice, called ‘spoofing,’ is objectively more difficult and less scalable than password theft. Anti-spoofing technology, otherwise known as liveness detection, is constantly evolving to allow biometric solutions to detect fake features and artefacts.
What’s more, if a company storing biometric templates in a database suffers a security breach and a hacker obtains the authentication information, it poses significantly less risk than if passwords are compromised. A template is a derived code, not a biometric feature. Whereas a stolen password can be used by anyone, a stolen template is functionally useless.

8. How do second factors work in comparison to biometrics?

While a biometric is something you are, a second factor is something you have. The latter is often used in conjunction with something you know (a password or PIN), enhancing the traditional security framework; but it’s increasingly being used together with biometrics to enable even stronger security. Common second factors include tokens that generate a One Time Password (OTP), a mobile device with GPS (location based factors), and USB or NFC security keys, with models now emerging that feature embedded fingerprint sensors.

9. Do fingerprints and other biometrics change when you get older?

It depends on the biometric modality. Fingerprints and irises, for example, can both undergo subtle changes over time, but not enough that most biometric systems would be unable to match them. More importantly, the Artificial Intelligence technologies powering such biometric systems have advanced to a point where they can adjust to gradual changes in a biometric. That’s especially useful in facial recognition, with systems that can now recognize the same individual from a very young age all the way to their golden years.

10. What needs to be considered when you enroll your biometric?

For many people, enrolling in any kind of identification system – from registering as a company’s employee to opening a bank account – entails certain concerns about privacy. This is no less true of biometrics, but the rapid mainstreaming of biometric technologies in recent years has outpaced the development of regulatory standards. Government authorities are starting to catch up through legislation like Europe’s PSD2 and Illinois’ Biometric Information Privacy Act. But ongoing concerns about privacy rights, including the debate over police use of facial recognition, underscores the importance of dialogue in the role that biometrics play in everyday security, and why policies and rules should be at the forefront of the industry’s conversation.