Biometrics are biological measurements, physical characteristics or traits that can be used to identify a person and authenticate their identity. Biological biometrics involve genetic and molecular traits, like DNA and blood, while morphological biometrics involve physical traits, such as fingerprint patterns, retinal patterns, facial structure and the pattern of veins in the palm. Behavioral biometrics include a person's gait, typing pattern and the way they speak, to name a few.
What are biometrics?
Most small and midsize businesses use a biometrics system based on physical traits. Employees enroll in the system by allowing a scanner component to capture (measure or take images of) whichever type of biometric data the technology uses for the identification and authentication process. Measurements or images are stored as biometric templates, either within the device or on a remote server; this data is usually encrypted for added security.
Every biometrics system works by comparing individuals' templates against "live" information supplied for authorization. For instance, with a fingerprint biometrics system, employees submit to a fingerprint scan so the company can store all authorized personnel's fingerprints in the system. Then, when an employee comes to work and holds their finger up to the scanner, the system compares the scanned fingerprint with the stored one. Only if a match is established can employees access restricted areas, equipment or files; clock in or out of a time and attendance application; or otherwise "get past" the system.
Uses of biometrics in business
Among the uses of biometrics in business, access control tops the charts. You can install biometric systems to prevent non-employees from entering your premises without checking in first. You can also harness biometric technology to restrict access to equipment (including computers) as well as to corporate networks, digital files and paper records.
Biometric systems can also be programmed to allow or deny access based on an individual employee's role in your organization. For example, you might use a fingerprint scanning system to allow HR managers – but not administrative assistants – access to employee records.
Editor's note: Looking for the right access control system for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.
Jordan Ellington, CEO and founder of SecureReview, said the COVID-19 pandemic and the gig economy have made access control an increasingly important application of biometric systems.
"Our current reality is a distributed workforce," he said. "With people working from home, there are no other absolute methods of verifying user identity on an ongoing basis.
When a remote employee or contractor is sitting in front of a computer, facial and other object biometrics ensure that it's the right contractor or employee. The user cannot hold up a phone or other device to the screen in an attempt to take a picture of a sensitive document."
Biometrics are an equally good fit for time and attendance applications. In this scenario, biometric systems replace traditional time clocks and hardware for stamping timecards. Instead of clocking in or out using these timecards, employees do so by scanning their fingerprint or palm or "showing" their face to a facial recognition system. This prevents employees from engaging in "buddy punching," or clocking in or out for each other when they arrive late or leave early.
Pros of biometrics
It is important to weigh the pros and cons of biometrics and biometric systems before implementing the technology. Advantages of using the best biometric access control systems include the following.
Unlike keycards, key fobs and passwords, people's biometric traits cannot be lost or stolen, which makes biometric systems a more secure option than their non-biometric counterparts. Additionally, while biometric systems are not entirely foolproof (see below), the likelihood of someone "spoofing" them is minimal.
"Should someone be successful in gaining access to biometric data, it will take them quite some time to replicate that data into a usable format," said Pieter Vanlperen, founder and managing partner of PWV Consultants. "This makes it a deterrent for threat actors, as they do not want to waste time."
Biometric systems provide even more security and better access control when combined with other identification and authentication methods. For instance, fingerprint scans or facial recognition technology can be used to confirm (or deny) that a person who scans an ID badge is really who they claim to be.
Convenience for employees and employers
Biometric technology is more convenient for employees to use because they do not have to waste time looking for what they need (e.g., a keycard or fob) or remember their password to get through the system. Additionally, biometric systems authenticate and identify people faster than conventional methods of authentication.
The convenience of biometrics extends to employers. For example, you are not stuck chasing replacements for lost keycards, key fobs and identification cards. Biometric systems also provide authentic attendance data, so you or your HR personnel need not "browse through heaps of attendance sheets to calculate leaves, late sign-ins or overtime for individual employees," said Robin Antill, founder and CEO of 1st Choice Leisure Buildings.
Potential cost savings
The cost to replace lost keycards, fobs and other physical access tokens can add up quickly. This doesn't even include the cost of time spent arranging replacements or resetting passwords for employees.
While biometric systems can be costly to buy and install, keep in mind that the price of data breach recovery is often much higher.
Cons of biometrics
On the flip side, here are the disadvantages of biometrics.
Physical changes can interfere with accuracy.
Biometrics are not infallible. While the data stored on a person's biometrics never change, people's physical attributes sometimes do.
"The authentication system only identifies traits that were registered and fails to identify the user if their physical traits change in even the most insignificant way," Antill said. "In such circumstances, the system needs to be altered to grant access to the allowed user, which can be inconvenient."
Antill offered several examples of situations where traits may change, including new tattoos on hands, burned or damaged fingers, retina transplants, and the addition or elimination of eyeglasses.
Not all biometric systems are suitable for every application.
Environmental and other factors can impact whether a certain type of biometric system will work for your business. For instance, a facial recognition system may not be the best choice if your employees wear masks all day, and fingerprint recognition or palm vein technology may be an impractical option for employees whose jobs involve carrying items from place to place (e.g., in a warehouse).
Resetting biometric systems can be problematic.
When your entire biometrics system needs to be reset, be prepared for a heavy lift.
"One of the biggest disadvantages of biometrics is that biometric data cannot be changed or reset," said Julien Raby, CEO and founder of Thermo Gears. "If a password is stolen from a database, a new password can be created. But if a biometric characteristic is stolen from a database, a new biometric characteristic cannot be easily issued."
The initial investment could be too high for small businesses.
As mentioned above, cost savings is one of the potential advantages of biometrics. However, biometric system hardware, setup and integration require a significant upfront investment that may be difficult for small businesses to bear.
Given the multiple uses of biometrics and the various pros and cons of biometric systems, small and midsize businesses have a lot to think about before rolling out biometric technology. Regardless, building a wide base of knowledge about the technology will help you make an informed decision and increase your potential for return on investment in the long run.
What are the different types of biometrics and biometrics systems?
The following types of biometrics and biometric systems use physiological characteristics:
- Fingerprint: The unique ridge arrangement of the finger
- Palm print: The pattern of lines in the palm of the hand
- Palm vein: A map of the unique vein structure of the palm
- Iris scan: The shape of the eye
- Hand geometry: The shape of the hand
- Facial recognition: Facial features and measurements
- Digital signature scanning: Signatures captured using digital technology
- Voice: Unique sound waves in the voice
There are also biometrics and biometric systems that use these behavioral characteristics:
- Typing pattern: This includes typing speed and the time taken to move from one letter to another.
- Physical movements: These can measure someone's gait.
- Computer navigation patterns: Specifically, these include mouse movements and trackpad usage.
- Engagement patterns: This characteristic looks at how apps are opened on a mobile phone or how often someone picks up their mobile phone.
Which biometric systems are commonly used for access control?
Businesses typically choose from these four types of biometrics for access control:
While the price of fingerprint-scanning systems can vary depending on the type of scanner, their suitability for mass production makes them less expensive than other options, according to Varnas. The use of fingerprint scanning on mobile phones means most people are familiar with it, making things easier for businesses that choose fingerprint biometric systems.
Fingerprints are more vulnerable to wear and damage than any other biometric. The accuracy of fingerprint scanners may be compromised by cuts, abrasions and scars on the fingers.
Another downside is that fingerprints can be collected from surfaces and forged in a few ways, such as 3D printing, unless the fingerprint scanner has built-in technology to discern whether fingerprints are being presented live.
Additionally, fingerprint systems are not contactless; users must place their finger on a scanner for reading during authentication. Consequently, they are less sanitary – and, given the COVID-19 pandemic, possibly less desirable – than other types of biometrics and biometric systems.
Facial recognition systems are easy to use because enrolled individuals just show their faces to be identified. "Facial [recognition] isn't expensive to add to existing access control systems, and in many cases, it's coming almost for free, with good cameras becoming pervasive and facial algorithms getting better at off-angle, off-lighting recognition," said Steve Humphries, CEO of Identiv. "We don't think there will be a move away from fingerprint; this will be additive, either as a lower-friction option, new installation or multi-biofactor."
Facial recognition technology can capture facial images from afar. This may lead to privacy and legal risks, except in situations in which the technology is used on personal devices.
In addition, because facial recognition measures fewer data points than other types of biometrics, there are more inaccurate results with this technology than with other types of biometric systems. Changes in users' appearance – like growing or shaving off facial hair, or removing or putting on glasses or makeup – contribute to the likelihood of false negatives.
Iris (retinal) scanners produce biometric IDs by using infrared light and high-resolution cameras to capture the detailed pattern within the iris. This pattern does not change throughout a person's life, so the accuracy of iris-scanning systems in identifying people does not change as they age.
The retina has a significantly detailed pattern, so iris scanners capture many data points, which yield a high degree of accuracy.
Iris scanners can obtain images from many feet away. This capability may expose your business to the same risks as facial recognition technology but on a smaller scale, experts from Keyo said.
Palm vein technology maps the palm's unique vein pattern by using infrared light. Proponents of palm vein technology said it is the most secure option, in part because the vein pattern of the palm is not readily visible to anyone, making it difficult for someone to create a replica that would "fool" the scanner.
Because palm vein technology captures a larger surface of the body – and, consequently, more data points – than other types of biometrics and biometrics applications, it offers greater accuracy, as well as fewer false negatives and positives, than other types of biometrics, some sources said.
The weather can affect biometric results. Specifically, cold weather can reduce blood flow and reduce the accuracy of palm vein biometrics.
What should you look for when choosing which biometrics to utilize in your system?
Consider these factors when choosing which biometric to measure:
- Universal: Does every user have the trait on which the system is based?
- Uniqueness: Do the traits differ enough from person to person so each one can be precisely identified?
- Permanence: Does the trait change over time?
- Measurability: How easy or difficult is it to acquire or measure the trait?
What to consider when choosing a biometrics system
There are several factors you should take into account when choosing a biometric system:
- Performance: Look at the accuracy, speed and robustness of the technology within the system.
- Acceptability: Consider whether, and how well, your employees will accept a system that captures and assesses their biometric data.
- Circumvention: Choose a system that makes it difficult to fool the system with a faked or substituted image.
What are the benefits of using biometrics for authorization and access control?
The goal of biometrics is to ensure that those accessing the location, device or network are who they claim to be, Varnas said. The problem with traditional authentication, through means such as a password or key fob, is that it doesn't matter who is using them. If the password is correct or the fob is in the person's hand, they can gain access.
"With biometrics, you're far more likely to be able to ensure that you're only allowing the intended party to access [whatever you're trying to protect]," Varnas said.
All types of biometrics offer three main benefits over other authentication and verification methods:
Biometrics verify someone's identity using their unique biological traits, so it is more difficult for another person to steal them outright than to get their hands on a physical access token, like a key card, or misappropriate a password.
Additionally, some facial recognition systems have built-in testing mechanisms to ensure that the biometric data is coming from a real human being rather than, for example, a forged composite replica or an image that has been downloaded from social media. The end result is enhanced access control.
With biometric access control, authorized users need nothing other than themselves to be granted access. This means that neither you nor your employees need to worry about resetting forgotten passwords or PINs, or replacing lost keys, barcodes or chip-based identification cards.
Employees also appreciate not having to fumble for physical access tokens or recall passwords as they attempt to gain access. Moreover, some sources said manual verification checks can take less time than verification checks performed using biometric identifiers – again, streamlining the verification and access control process.
Replacing key cards, fobs and other physical access solutions can be costly. According to a study by Tile, each lost ID card can cost up to $50, with the average cost per replacement card now averaging $22. It may not sound like a lot, but it adds up over time, especially when you consider the time spent on the replacement process.
What's more, the cost of recovering from a data breach caused by unauthorized access to sensitive data can outweigh the cost of implementing biometric authentication and access control systems.
What are the drawbacks of biometrics and biometric systems?
Biometrics and biometric systems come with some limitations:
- False positives:
- Biometric systems can occasionally accept fake data – like a fingerprint taken from a glass surface – in turn generating a false positive and, in the case of an access control system, granting access to an unauthorized user.
- False negatives:
- Biometric systems can also reject someone's biometric data even though it "belongs" to them. In an access control scenario, users are then denied accesseven though they are who they claim to be and have the right to that access.