Authentication

Biometric Authentication: 6 Types and 3 Ways to Integrate Biometrics with Your Applications

What Is Biometric Authentication? 

Biometrics is a secure process that verifies a person’s identity based on their unique biological characteristics, such as fingerprints or retinal scans. Biometric systems compare physical or behavioral characteristics to verified real-world data. Authentication is confirmed when the two samples of biometric data match.

Biometrics are commonly used to control access to physical and digital resources such as mobile devices, computers, and physical facilities. 

In this article:

Benefits of Biometric Authentication

Traditional password-based authentication presents multiple challenges, including:

  • Password fatigue – with most people using dozens of applications on a daily basis, they simply opt for the same one for all uses. The selected passwords are also usually easy to guess, making it a huge security liability.
  • Poor user experience – passwords are often forgotten and need to be reset, causing frustration for users and increasing friction in application onboarding.
  • Pressure on support and IT teams – traditional authentication methods put a lot of stress on support and IT teams. Passwords need to be reset, and IT teams need to maintain password databases and systems. 

Related: Read our Two-Factor Authentication Guide

Biometric authentication addresses these challenges:

  • No passwords – hackers have a much harder time infiltrating laptops and smartphones that are protected with biometric authentication. It’s difficult to mimic a face or fingerprint from a remote location.
  • Multi-factor authentication (MFA) – SaaS companies can now add another layer of security by combining the power of biometrics with other methods. Read more in our detailed guide to multi-factor authentication.
  • Improved customer satisfaction – biometric authentication allows users to sign up and sign in faster. It removes the need to remember passwords and is also very accurate with little need for resets.

Related: Magic Links: Powering the Passwordless Shift

6 Biometric Verification Methods and Common Use Cases

Here are the primary methods used for biometric verification.

1. Fingerprint Recognition

Fingerprinting is a method of automatically identifying a person’s identity by comparing two fingerprints. Fingerprint recognition is one of the most well-known biometric technologies and is the most commonly used solution for identity verification in computer systems.

Fingerprints are commonly used because they are easier to acquire compared to other biometric technologies, and have been in wide use for over a century.

Some common use cases of fingerprint recognition include:

  • Smartphone and tablet security: Many smartphones and tablets now include fingerprint scanners as a way to unlock the device and
  • access sensitive information.
  • Computer login: Some laptops and desktop computers now have fingerprint scanners built in, allowing users to quickly and easily log into their accounts using their fingerprints.
  • Physical access control: Fingerprint recognition can be used to control access to buildings, rooms, and other secure areas.
  • Payment systems: Some point-of-sale terminals and other payment systems now include fingerprint scanners that can be used to authorize transactions.
  • Border control: Fingerprint recognition is used by border control agencies to verify the identity of travelers and ensure that they are authorized to enter the country.

Related: Read our JWT Authentication Guide

2. Facial Recognition

Facial recognition software scans faces and analyzes the shape of each face. The software analyzes the distance between elements of a face. For example, the distance between the eyes or between the nose and chin. The software then creates a digital model of facial data. During the authentication process, the software scans a face in real time and compares the resulting model to other models previously stored in the database.

Facial recognition technology is used in a variety of applications, including:

  • Security and surveillance: It can be used to identify and track individuals in real-time in public spaces such as airports, train stations, and shopping centers.
  • Law enforcement: It can be used by law enforcement agencies to identify suspects and track criminals.
  • Smartphone and device unlock: Many smartphones and other devices now use facial recognition as an alternative to fingerprints or passcodes to unlock the device.
  • Marketing and advertising: It can be used in digital advertising to track and analyze people’s reactions to specific ads, and improve targeting of ads.
  • Banking and finance: Facial recognition technology is used in banking and finance for identity verification and fraud detection.

3. Eye Recognition

There are two major eye-based authentication methods: 

  • Retina recognition involves an examiner or sensor briefly shining a light into the user’s eye, to reveal the distinctive pattern of blood vessels in the eye. The software builds a map of this pattern and compares the new authentication attempt to the original. 
  • Iris recognition works by analyzing color rings in the iris rather than blood vessel patterns.

Related: Read our Django Authentication Guide

Common use cases of eye recognition include:

  • Access control: Eye recognition can be used to grant or deny access to secure areas, such as buildings, data centers, and other facilities.
  • Law enforcement: It can be used by law enforcement agencies to quickly identify suspects and criminals.
  • Time and attendance: It can be used to accurately track employee attendance and eliminate the need for manual sign-in sheets or punch cards.
  • Mobile devices: It can be used to unlock smartphones, tablets, and other mobile devices, providing an additional layer of security beyond traditional password-based authentication methods.

4. Voice Recognition

Speech recognition software analyzes speech. The software then uses the length of the user’s vocal tract and the shape of the larynx, nose and mouth to determine a unique voice, and compares the new recording to the user’s pre-recorded voice.

Voice recognition technology is used in a variety of applications, including:

  • Virtual assistants: It enables virtual assistants, such as Amazon’s Alexa, Google Assistant, and Apple’s Siri, to respond to voice commands and perform tasks such as playing music, setting reminders, and controlling smart home devices.
  • Automotive technology: Voice recognition is used in automobiles to enable drivers to control various systems, such as the radio and navigation, hands-free.
  • Home entertainment: It is used in home entertainment systems, such as televisions and gaming consoles, to enable users to control the device and search for content with voice commands.
  • Healthcare: It is used to transcribe and analyze speech for medical research, clinical documentation, and patient-provider communication.

Related: Read our Token-Based Authentication Guide

5. Hand Geometry

The hand shape recognition process analyzes and measures the shape of a user’s hand. This method is ideal if many users need to access the system on a regular basis. It is commonly used in airports, and has relatively high accuracy.

Common use cases of hand geometry include:

  • Physical access control: Hand geometry can be used to grant or deny access to secure areas, such as buildings, rooms, or computer systems. It can be used as a standalone authentication method or in conjunction with other forms of authentication, such as a PIN or card.
  • Voter registration: It can be used to create a unique biometric identifier for each voter, to ensure that each person is only able to vote once in an election.
  • Employment and immigration verification: It can be used to verify the identity of job applicants or immigrants, to ensure that they are legally authorized to work or reside in a specific country.
  • Retail and banking: It can be used as a form of identification and security in retail and banking sectors.

6. Signature Recognition

The signature recognition process attempts to identify a user by analyzing their handwriting. It includes two main methods of signature analysis:

  • Static analysis processes – compares a scanned signature to an ink signature or another scanned signature.
  • Dynamic signature processes – analysis of behavioral characteristics exhibited by individuals when generating a signature. Digital signature scanners are commonly used by banking institutions and retailers.

Some common use cases of signature recognition include:

  • Financial transactions: It can authenticate financial transactions, such as check or credit card transactions, to ensure that the person signing is authorized to use the account.
  • Legal documents: It can be used to authenticate the signature on legal documents, such as contracts and deeds, to ensure that the person signing is who they claim to be.

Key Features of Biometric Authentication Tools

Here are a few key features you should look for in a biometric authentication technology:

  • Accuracy rating – accuracy rating is based on criteria such as error rate, false acceptance rate (FAR), recognition rate (RR), false rejection rate (FRR). Companies should ensure that the systems they choose rank high on these parameters.
  • Anti-spoofing features – hackers are becoming increasingly sophisticated in their attempts to gain access to systems by manipulating input devices. A biometric authentication system should have strong anti-spoofing capabilities to prevent these types of attacks.
  • Usability – users must be able to accomplish biometric authentication easily and in a timely manner. This is generally measured using metrics like completion rate, number of errors, and failure-to-enroll (FTE) rate. Another key metric is user satisfaction and acceptance of the system, usually measured by surveying users and asking them about parameters like ease of use, convenience, and trust.
  • Security – biometric systems should be designed to withstand common threats, especially when employed in security-critical environments. There is now substantial experience and knowledge about vulnerabilities of biometric systems. For example, the International Organization for Standardization ISO/IEC FCD 19792 document presents a list of threats and vulnerabilities of biometric systems, which modern systems should address.

3 Ways to Integrate Biometrics with Your Applications 

Today it is easier than ever to integrate biometric authentication into applications. Let’s review several convenient APIs and standards developers can use to add biometric authentication to a software project.

1. WebAuthn: Driving the Biometric Revolution

Now that we have covered the main benefits and characteristics of biometric authentication, it’s time we get familiar with WebAuthn. This is basically a relatively new W3C global stansra for secure web authentication that’s now supported by all leading web browsers and online platforms. WebAuthn is the driving force behind the aforementioned biometric authentication revolution.

So what is WebAuthn all about?

WebAuthn is basically an API, developed with contributions from Microsoft and Google, that makes it easy for web services (relying parties) to integrate strong authentication into applications. This functionality is allowing the integration of strong authentication flows with multiple authenticator options to answer a wide(er) range of use cases. Biometric authentication is one of the options.

Source: Yubico

You can find many WebAuthn variations today:

When WebAuthn is implemented properly in the ecosystem, the server has to provide data that binds a user to a credential, which is essentially a private-public keypair. What does this data include? First, it has identifiers for the user and the relevant organization, commonly referred to as the “relying party”. The website then uses the Web Authentication API to prompt the user to create a new keypair.

Everything revolves around the publicKeyCredentialCreationOptions object, which contains some mandatory and optional fields that the server uses to create a new user credential.  Here is a list of fields that you’ll find more often than not.

  • challenge: The challenge is essentially a buffer of cryptographically random bytes generated on the server, and is needed to prevent “replay attacks”.
  • rp: This is basically a short form for a relying party, describing the organization responsible for registering and authenticating the user. The id is always a subset of the domain currently being run in the browser. 
  • user: This is information about the user currently registering. The authenticator uses the id to associate a credential with the user. For security reasons, it’s recommended not to use PII as the id. 
  • pubKeyCredParams: An object array that defines acceptable public key types. Alg – a number described in the COSE registry. Here, -7 means the server accepts Elliptic Curve public keys with a SHA-256 signature algorithm.
  • authenticatorSelection: This is an optional object that helps relying parties make further restrictions on the type of authenticators allowed for registration. 
  • timeout: The time (defined in milliseconds) that the user has to respond to a prompt for registration. After that time limit, an error is returned. 
  • attestation: The attestation data that is returned from the authenticator has information that could be used to track users. 

As we’ll learn in the next sections, WebAuthn is now built into all leading tech ecosystems. It eliminates the need for passwords by using private-public keypairs (credentials). The private one is stored on the end-user’s device, while the public one is sent to the server along with a random credential ID for storage. The public key is of no use without the corresponding private one, making WebAuthn very secure.

2. Face ID for Apple Users

As the name suggests, Apple’s Face ID is an advanced face-recognition technology that launched on the iPhone X in 2017, something that replaced its old Touch ID fingerprint scanning system. The hardware powering this technology is the “TrueDepth camera system”, a complex system that has cameras, sensors, and a dot projector. The face is registered as a detailed 3D map that’s used for authentication.

Besides the trivial device unlocking functionality, Face ID is now being used by Apple to log into iOS applications, sign into online services, and protect personal information. It’s also making iPhones and Macbooks into potent B2B end-devices.

App developers can use valuatePolicy(_:, localizedReason:, reply:) to show the Face ID authentication popup on a device that supports Face ID and where the user has configured Face ID. Here’s an example of FaceID implementation with Swift:

 Related: Social Logins: Is the Hype Justified?

3. Android Biometrics

The Android OS, powered by Google, is not lagging behind in the biometric front. Its smartphones, tablets, and Chromebooks, regardless of the manufacturing company, are powered today by face recognition and fingerprint scanning capabilities. 

Here’s how it works.

First you need to use the AndroidX Biometric Library to determine compatibility:

Then, canAuthenticate() will usually return one of these outcomes:

  • BIOMETRIC_SUCCESS: The device is ready to use a biometric prompt, as the hardware is available and the user has also enrolled biometric data
  • BIOMETRIC_ERROR_NONE_ENROLLED: The device has biometric capabilities, but the user has yet to enroll their fingerprints or face.
  • BIOMETRIC_ERROR_NO_HARDWARE: The device’s hardware does not support biometric authentication.

You can also run another check to ensure enrolled biometric data:

You then follow these steps to complete the biometric implementation:

  • Initiate the building of the biometric prompt 
  • Set PromptInfo to the message and configuration you want
  • Use the calling activity and callback handlers to set up the biometric prompt
  • Reopen BiometricUtil.kt 
  • Use the BiometricPrompt.PromptInfo.Builder builder class to generate the dialogue and populate it with the title, subtitle, and description
  • Initialize BiometricPrompt with the initBiometricPrompt() function
  • To display the biometric prompt properly and bind everything together, add the BiometricUtil.kt function
  • Use the below function in your login/sign-in to use Biometric authentication

That’s how it goes on the Android side of things.

Biometric Authentication with Frontegg

Frontegg is a self-served user management platform that helps SaaS developers implement strong authentication flows, along with other PLG-centric capabilities like billing and subscription management, login box implementation, and more. It’s now possible to use a centralized dashboard to manage all roles and permissions, all with just a few clicks. All of the above also applies to biometric authentication.

As your users expect to have the seamless login experience, it’s our responsibility to help and ease their way into the app. We have built this into our platform so you can integrate Biometric authentication quickly and securely.

Start For Free