Virtualization Technology News and Information
What to Avoid When Implementing Biometric Authentication Systems
Written by James Stickland, CEO, Veridium

Biometric authentication has been presented as a likely replacement for passwords. Using what you are to authenticate is perceived to be easier than remembering a 10-character password that contains special characters, numbers and capital letters. But some challenges accompany deploying and using biometric security systems at enterprises. If these issues aren't addressed, they could compromise security or impede the user experience.  Either outcome limits the effectiveness of biometric authentication. Here are some potential pitfalls and how to work around them.

Compromised enrollment process

The user enrollment process is the foundation of a biometric authentication program and has to be protected. People have to prove who they say they are. Without properly validating a person's identity, attackers could register their biometrics instead of the legitimate user, compromising the system's security.

Workaround: People must present multiple forms of identification before they enroll their biometrics. This identification includes government-issued identifications like passports and driver's licenses as well as bank statements and utility and credit card bills. Requiring multiple levels of identification reduces the risk of identity fraud.

Spotting spoofing

With spoofing, an attacker mimics a person's biometrics and uses them to fool a biometric sensor in a presentation attack. For example, to trick facial recognition systems, an attacker could use a photo of a person to spoof a mask. To deceive fingerprint sensors, attackers could lift a person's fingerprints and use them to create prosthetic fingers that contain the fingerprints.

Workaround: Implement liveness detection and behavioral biometrics. Liveness detection uses subtle cues, like movement, to determine if a live person and not someone using a spoof is trying to authenticate. Behavioral biometrics is an emerging technology that uses how people interact with their phones to determine that the legitimate user is authenticating. These interactions include how a person swipes the phone's screen and picks up the device. Over time, a behavioral profile is created. If a person's behavior deviates significantly from this profile, another authentication method can be requested as additional security.

Forgetting about the user

A key benefit of biometric authentication is that it's easier to use than passwords. The biometric authentication system that an organization uses has to provide this value and be user friendly. A cumbersome system with a challenging authentication process will turn employees off and stymie adoption of the technology. In fact, they may lobby to keep using passwords.

Workaround: Develop an intuitive interface and select a biometric that's easy for an employee to use, works in challenging environments and provides security. For example, while taking selfies maybe popular, facial recognition sometimes doesn't work in low-light situations.

Remember the false rejection rate

The false rejection rate (FRR) has to be considered when implementing biometric authentication systems. FRR measures how likely a biometric authentication system is to reject a legitimate user. To keep the user experience positive, organizations want a low FRR.

One of the main factors that influences a biometric's performance is environmental conditions. Light and noise levels, among other factors, impact a biometric's ability to authenticate. For example, voice recognition may not be an ideal biometric for an enterprise to use since it tends not to perform well in noisy environments, like airports.

Workaround: Keep in mind that biometrics work differently in various environments. Organizations should test the biometrics that they plan to use in environments unique to their use case, especially ones frequently encountered by their employees, and track the FRR. In environments where the FRR is high with a certain biometric, an organization may need to consider using a different one. The goals are to find a biometric with a low FRR that allows employees to authenticate in environments that they're commonly in.


Passwordless authentication using biometrics can prove more convenient than authenticating with traditional passwords but only if organizations avoid the pitfalls that could stymie use or compromise security. Highlight some of the possible challenges can help organizations roll out biometric authentication systems in a more secure and user-friendly way.


About the Author


A seasoned executive in financial technology, James Stickland is tasked with driving business revenue and investment growth, as well as leading the company's global go-to-market strategy for its flagship solution, VeridiumID. Based out of the company's London headquarters, James comes to Veridium from the UK-based fintech firm Red Deer Systems. Previously, he held senior leadership roles at HSBC, JP Morgan Chase and CISCO SYSTEMS, where he specialized in expanding a pipeline of venture capital and accelerating innovation within emerging technology portfolios.

Published Tuesday, May 14, 2019 7:31 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<May 2019>