Biometric authentication isn’t invulnerable, but it’s significantly more secure than traditional passwords. Here’s why. Credit: JLStock / Shutterstock Scared of flying but don’t think twice about a lengthy road trip? Consider this: NOVA reports that your odds of a fatal car crash are 1 in 5000, but the chance of perishing in a plane is just 1 in 11 million. Despite air travel being 2,200 times safer than a car, many people fear flying more than driving. Feeling anxious is understandable if you’ve ever white-knuckled your way through a turbulent flight, but the numbers tell a different story. There’s a similar misconception about biometric authentication and passwords. While biometrics aren’t immune to compromise (just as air travel isn’t completely risk-free), FIDO2-based biometric authentication is significantly more secure than traditional passwords. Let’s dispel some common myths and explore why anxieties about biometric authentication—much like the fear of flying—may be misplaced. Biometric identification, verification, and authentication basics Biometric technology plays a crucial role in various aspects of identity management. To avoid confusion, let’s clarify the distinct but interrelated concepts: Identification asks, “Who are you?” Biometric identification compares biometrics against a database of stored information, as used by law enforcement or security agencies. Identity proofing asks, “Are you really who you claim to be?” Identity proofing is when biometrics ensure the identity claimed matches reality. It is often used when opening a new account. Identity verification asks, “Does this match your ID?” One example of identity verification is taking a selfie with liveness detection to confirm that your real face matches the photo on your license. Authentication asks, “Is it really you trying to log in?” Authentication is used to confirm that the person attempting to access an account is the rightful owner. When we talk about biometric authentication in cybersecurity, we’re primarily concerned with that last question: “Is this the real account owner?” Using biometrics helps us ensure that the login request comes from the real user, not a sophisticated impersonator using techniques like deepfakes. What is FIDO2? FIDO2 is an open authentication standard that enables passwordless login to online services using public key cryptography. This decentralized authentication model uses public-private key pairs to verify a user’s identity with what-you-have-or-are methods like hardware keys, passkeys, and biometrics. In a FIDO2 login scenario, the user’s device (e.g., an iPhone) holds a private key which matches up with a public key held by the service they want to access (e.g., Apple iCloud). The vast majority of web browsers, including those exclusive to mobile devices, are compatible with the standard. Misconception #1: AI-based deepfakes can easily impersonate you online, and cybercriminals are actively stealing biometric data to create them. While the rise of AI and deepfake tech raises legitimate concerns about biometric storage and privacy, innovations in biometric technology are continually raising the bar for would-be fraudsters. And though spotting deepfakes with the naked eye is getting tougher, creating them doesn’t necessarily require your stored biometric data. In fact, most deepfakes are created using publicly available content that users themselves share on social media. The evolving threat raised by deepfakes is less significant for FIDO2-enabled biometric authentication, which doesn’t store or transmit your actual biometric data. Instead, it uses a face or fingerprint to unlock a private key. The only way a threat actor could conceivably get your biometric data would be by compromising the coprocessor or TPM (Trusted Platform Module) on your device. This is essentially impossible, and succeeding would yield data points rather than an image of your face or a scan of your fingerprint. However, concerns about biometric data theft are still valid. Incidents like the 2023 breach at the Pan-American Life Insurance Group highlight the need for better security around biometric data in non-authentication scenarios. While leveraging raw fingerprints to fool biometric hardware is possible, it’s rare. This is largely because, in FIDO2-based authentication, a fingerprint is useless without a paired device. Ultimately, most threat actors favor simple social engineering tactics over going toe-to-toe with biometric scanners—though tomorrow’s deepfakes may require methods with even greater scrutiny. Misconception #2: Biometric information is used to track and monitor people across their digital and physical lives. The fear of cybercriminals, governments, or corporations using biometrics for widespread tracking is common, especially given the prevalence of data collection through social media and public surveillance. However, modern authentication protocols operate on a totally different set of principles. As we previously discussed, FIDO2-based authentication ensures your biometric data never leaves the device. It’s never transmitted to a server, so it can’t be intercepted or observed by anyone. Not even you can access the data, since it’s solely used for unlocking your private key. If a service you’re accessing were compromised by threat actors or government agents, the attackers still couldn’t use the information communicated in biometric authentication to track you because: Your private key signs a challenge and sends it back to the service. The service doesn’t see your biometric data; it just knows that you have the right private key. Even if attackers could steal the biometric data on your phone, they couldn’t do anything with it. Your smartphone checks your fingerprint or face scan against data points, not images. The data points that tell your phone whether you’re a biometric match can’t be reverse-engineered to yield an image of a face or fingerprint. It’s a one-way conversion. Many countries and jurisdictions have implemented strict data privacy laws, like GDPR in Europe and CPRA in California. These regulations impose tight restrictions on biometric data collection, processing, and storage. By design, FIDO2 sidesteps (and complies with) many of these regulations because the biometric data remains solely on your device. This is why it’s so important to distinguish between biometric authentication and other applications of biometric technology. While FIDO2 authentication safeguards your privacy, other uses of biometrics, like facial recognition in public spaces, do raise legitimate concerns. But it’s crucial to recognize that logging in with a fingerprint is not part of some Orwellian plot. Misconception #3: Biometrics are expensive to deploy, and users are reluctant to adopt them. “But what about the human element? Adding biometric authentication will cost too much for the tiny number of users who will adopt it.” It’s a question raised in boardrooms and IT departments alike—yet rather unfairly, considering 85% of consumers rate physical biometrics as the most secure authentication method they’ve encountered, according to Experian’s 2024 Fraud Forecast. At the same time, a fractional 32% of companies actually offer biometric authentication. So what’s with the hesitation? Some concerns are understandable. Unlike passwords, you can’t simply reset your fingerprint or face. Add to that the apparent complexity, perceived user resistance, and potential adoption hurdles, and you’ve got a recipe for hesitation. The reality is quite different, though. With a capable biometric scanner resting comfortably in every user’s pocket, and numerous biometric-capable authentication ecosystems already in place, integrating the tech has never been easier or cheaper. Education is the key to onboarding more customers (and companies) to this new biometric paradigm. According to the 2023 FIDO Online Authentication Barometer Report, passwordless solutions like biometrics save users significant time and reduce friction while raising the bar on security. Users need to understand that biometrics aren’t to be feared but instead appreciated for their enhanced security. Do the math Traditional passwords are insecure and a pain to use. According to a 2023 Forbes Advisor report, cybercriminals stole passwords from 46% of Americans within the previous year. On the other hand, passkeys—which are based on the FIDO2 standard and can utilize biometrics—are raising the bar on authentication security and ease of use. Google’s 2023 Security Blog notes, “Passkeys were originally designed to provide simpler and more secure authentication experiences for users, and so far, the technology has proven to be simpler and faster than passwords.” The authentication success rate for passwords is typically below 14%, but it’s over 63% with local passkeys. Google also notes how much faster passkeys are: Traditional passwords take twice as long to log in. Biometric authentication isn’t invulnerable. But with FIDO2, companies can benefit from improvements to the cost of ownership, time to value, and customer friction. For users, the math is also looking good: no more forgotten passwords, fewer security incidents, and better productivity. While misconceptions about biometrics will continue to circulate, the reality is that biometrics is the path to smoother, safer authentication. Rishi Bhargava is co-founder of Descope. — New Tech Forum provides a venue for technology leaders—including vendors and other outside contributors—to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to doug_dineley@foundryco.com. Related content news Java proposals would boost resistance to quantum computing attacks OpenJDK proposals would provide Java implementations of a quantum-resistant module-latticed-based digital signature algorithm and key encapsulation mechanism. By Paul Krill Nov 08, 2024 2 mins Java Quantum Computing Application Security news analysis What Entrust certificate distrust means for developers Secure communications between web browsers and web servers depend on digital certificates backed by certificate authorities. What if the web browsers stop trusting your CA? By Travis Van Oct 30, 2024 9 mins Browser Security Web Development Application Security news Embedded developers face mounting pressure on security A recent survey by BlackBerry Limited finds tensions between innovation, project deadlines, and functional safety. By Paul Krill Oct 11, 2024 2 mins Developer Application Security Software Development feature 6 ways to apply automation in devsecops Automation should serve as a foundational principle for approaching every security challenge. Here’s how automation can help you secure software development processes. By Shashank Srivastava Sep 30, 2024 9 mins DevSecOps CI/CD Application Security Resources Videos