March 14, 2019

Biometrics haven’t always been portrayed in the best light in pop culture – movies have depicted ways to steal fingerprints and use them for authentication (like the action series Mission Impossible) for years now. But those perceptions haven’t significantly hampered the adoption of the technology. Look around you – if you have an iPhone or Galaxy phone from the last few years, you can likely authenticate it with your thumbprint, face or eyes.

To better understand the trajectory of biometrics, from their first introduction to where they’re headed, we talked to Steven Furnell, IEEE Senior Member and professor of information security at the University of Plymouth (UK), who has been doing research on them for over 20 years.

Q (IEEE): Which advances have gotten us to the current state of biometric adoption?

A (Furnell): I have long believed that biometrics are the key to non-intrusive, frictionless security. Indeed, my own Ph.D. research back in the mid-90s was looking at how keystroke dynamics could be used to authenticate people in parallel with normal typing activities, and since then, colleagues and I have looked at a variety of ways in which biometrics can improve authentication and make this aspect of security more transparent from the user’s perspective.

We have been seeing gradual steps towards making the techniques more usable and reducing the friction, with particular attention given to the more reliable physiological approaches. This is exemplified by the way in which fingerprint recognition was introduced on the iPhone 5S, compared to earlier devices that incorporated it. While various other mobile phones had used it, Apple integrated it in a way that was natural – within the home button that users would press to activate their device anyway. It wasn’t a distinct sensor that you had to use solely for security.

We now seem set for this to advance further, with the scanning capability embedded across the whole screen, paving the way for authentication to be applied in conjunction with any touch interaction rather than just at point-of-entry.

Q: As new biometric features like scanning appear in more devices, what are the main challenges you see regarding their effective use over the next five years?

A: One of the fundamentals is still trust. People are concerned about their biometric data getting exposed, and this can be a valid concern depending upon how the approach has been implemented and where the data is being shared. We have seen numerous instances of passwords being compromised on the server side, and so the same concern would exist if they became a repository of all the users’ biometric data.

Another challenge is (lack of) universality, and the the fact that biometrics are not yet a standard feature on all the devices we use. Password-based authentication has persisted because we can rely on most devices having keyboard-based input, but biometrics still require specific technology to be present on the device.

The third challenge would be reliability. While we see biometrics readily being used on mobile devices, they are not perfect and all of them still need a knowledge-based approach as a fallback. However, they are getting better in terms of both reliability and security – they work better for the intended users and are more resistant to spoofing by impostors.

Q: Given that our fingerprints, voices, and faces aren’t easily changed, are there indeed solutions if our biometric data does get exposed?

A: This is one of the major concerns, and the best approaches rely upon the biometric data itself not being shared. This is, for example, the approach that Apple has gone to great lengths to emphasize with its biometric implementations – the user’s data does not leave the device and is stored within a secure enclave within the processor, meaning that local apps don’t get to see it either.

Q: Where do you see biometrics headed in the near future?

A: Biometrics are most definitely part of our direction of travel with user authentication. The ability to authenticate via something that the user is, rather than relying upon them to remember a secret or to be carrying something with them, inherently makes it easier from the human perspective.

As we move forward, we will see further improvements in the technology and its consequent use in more places. Indeed, as time goes on, the requirement to authenticate ourselves with more explicit approaches such as passwords will feel increasingly anachronistic.