14 March 2025
Biometric authentication uses the physical characteristics of an individual—such as facial features, iris scans or fingerprints—to verify their identity before granting access to sensitive data or systems. Biometric identification is based on who the person is, rather than special knowledge or something the person has.
Hackers increasingly target users’ credentials to break into corporate networks and wreak havoc. In fact, according to the IBM Cost of a Data Breach Report, stolen credentials are the most common attack vector behind data breaches.
Many organizations adopt biometric authentication to help thwart these kinds of cyberattacks and protect user accounts. Because biometric information pertains to who a person is, it is typically harder to steal or forge than other credentials, such as passwords and security tokens.
Biometrics can also provide a more convenient user experience because people don’t have to remember anything or carry special items to prove their identities. Biometric technology helps enable passwordless authentication, which can be both more secure and more streamlined than other types of authentication.
Strengthen your security intelligence
Stay ahead of threats with news and insights on security, AI and more, weekly in the Think Newsletter.
All authentication systems rely on authentication factors, or pieces of evidence that prove a person is who they say they are. Biometric authentication specifically uses physical and behavioral modalities to identify people.
Inherence factors
Inherence factors, also called physical factors, are physical traits unique to a person, such as the pattern of blood vessels in their retina.
Biometric authentication systems use physical identifiers that are measurable, distinct and highly unlikely to change. Common physical biometric authentication methods include facial recognition and fingerprint scans. Characteristics such as weight and hair color can change, making them inappropriate for authentication.
New options for unique inherence factors are continually being investigated, such as thermal imaging of feet and lip shape.1
While most inherence factors remain consistent, difficulties might arise if an injury alters a person’s characteristics, such as changing their fingerprints or facial features.
Another potential difficulty with inherence factors is that, if an attacker steals a physical authentication factor (such as pilfering fingerprint scans from a database), it cannot be changed. People can change their passwords, but they can't change their fingerprints.
In addition, there are potential privacy concerns around how organizations use people's biometric data after collecting it.
Inherence factors currently in use or under evaluation include:
Eye recognition includes scanning of the iris or retina for unique patterns. While this type of biometric authentication is highly accurate, it is also expensive, requiring specialized equipment. It is more practical for government or industrial uses, where security is the most important consideration.
Facial recognition technology is sufficiently accurate to be used for unlocking mobile devices and helping with identification by law enforcement.
However, facial scans can have difficulties: the angle of the live scan might be different than the scan on file, leading to failed authentication. An exaggerated facial expression can also distort a scan.
The tone, pitch and frequencies in a person’s voice might be as unique as a fingerprint.
While voice recognition verification is highly accurate, easy to use, and comparatively cost-effective, advanced voice cloning technologies can fool it. Some generative AI developers, such as OpenAI, advocate that organizations move away from voice recognition for this reason.2
Fingerprints are a longstanding biometric authentication method, used as proof of identity in China as early as 300 B.C.3 Their usefulness continues today.
Fingerprints are unique, with only one chance in 64 billion4 of finding an identical fingerprint between two people. (And there are now just over eight billion people on earth.)
Fingerprints are also ideal for today’s digital devices. They are inexpensive to read, collect and analyze, and they do not change as people age.
However, some consumer-grade fingerprint scanners that are found in smartphones and PCs are accessible by using fake prints. Common conditions such as wet, dry or greasy fingers can cause false rejections.
Because of these errors, some scanners now read vascular patterns instead, helping to reduce the number of false positives.
Vein recognition uses pattern-recognition technology to match the arrangement of a user’s blood vessels in some part of their body to a scan already on file.
While more accurate than many fingerprint scanning methods, the vein scanning process can be cumbersome. Moreover, equipment to scan blood vessel patterns is not yet widely available, so it is mostly used in highly specialized environments. Veins in whole palms and in a person’s forehead7 can also be scanned.
The shape of a person’s hand can be scanned and stored as a mathematical representation. Measurements include finger length, distances between different parts of the hand and the contours of the valleys between knuckles.
Of all biometric factors, DNA is often seen as the most accurate. Even “identical twins” don’t usually have truly identical DNA.5
However, the precision of DNA and questions about how DNA samples might be used makes many people uncomfortable with it as a potential authentication factor.
A US government study found that people are far more comfortable providing biometric data in the form of fingerprints than DNA.6
Behavioral factors
Behavioral biometrics uses the unique patterns in a person’s activity to identify them. Common behavioral characteristics that are used for authentication include:
People often have unique behavioral patterns while working on their devices—for example, how they use a touchscreen, or the frequency and fluidity of mouse movement.
Organizations can use machine learning algorithms to analyze these patterns and build models of a user’s typical behavior. The user’s subsequent behavior can be compared to the model for authentication.
A person’s keyboarding patterns can also be unique, including typing speed and the shortcuts they commonly use. Typing dynamics can be monitored remotely and unobtrusively, but they are less accurate than fingerprints or iris scans, and a user’s patterns can change over time.
The way a person walks can be used for authentication. The stride and foot angles can subtly differ from person to person.
Multimodal biometric authentication
Multimodal biometric authentication (MBA) systems use two or more methods of biometric authentication to identify a person. For example, an MBA system might require both a fingerprint scan and a retinal scan, or facial recognition and typing pattern analysis, before allowing a user in.
The intent of multimodal biometric authentication is to significantly strengthen security measures. It is very hard for a hacker to successfully spoof multiple biometric identifiers during the authentication process.
The basic functions of biometric authentication are straightforward. The first step is the enrollment process, when a record of a person’s biometric information is digitally stored in a biometric system. Whenever the user returns to the system to be authenticated, this original template is compared to the user’s characteristics. If the biometric features match, authentication is confirmed.
To save digital storage space and speed the comparison of verifying factors, templates often store only key points. For example, with facial scans, many systems store only specific features of the face rather than the entire face. Sometimes, such as with fingerprint scans, the entire image is stored.
Stored biometric data requires strong data security measures because, if stolen, the data can be used for identity theft. And because biometric data cannot be changed, theft can potentially create a lifetime of difficulty for the victim, putting further personal data at risk.
Biometric systems often use advanced artificial intelligence (AI) to speed the recognition process. Deep learning—and convolutional neural networks (CNNs or ConvNets) in particular—show great promise for identifying patterns in templates and scans, such as for fingerprints.
Access control
Establishing a person’s digital identity is crucial before granting that person access to sensitive apps or data. Biometric security systems can help prevent presentation attacks, in which a hacker attempts to gain access to a system by spoofing a valid user’s identity.
Biometric authentication measures can also be used to protect sensitive physical locations. Government agencies might use a microchipped passport that contains a photo and fingerprints of the passport holder so that the individual’s identity can be verified against biometric information on file. In healthcare, biometrics can be used to verify that medications are given to a patient and procedures are conducted on the correct person.
Multifactor authentication
Biometric factors can be used with other authentication factors to provide extra cybersecurity to multifactor authentication (MFA) implementations.
MFA might include both information—such as a password—together with a biometric factor—such as a fingerprint scan. By requesting two or more means of identification—at least one of which cannot easily be stolen—MFA makes it harder for attackers to hijack users’ accounts.
Surveillance
Biometric information can be used to observe individuals and track their movements. For example, law enforcement agencies often use the biometric scanning of facial features and fingerprints to identify individuals of interest.
Payments
The use of biometrics for payment processing can help speed the verification of financial transactions and streamline user experience. For example, people can use fingerprint readers to confirm payments on smartphones or voice recognition to verify online banking instructions.
Some physical retail stores are also experimenting with biometric payments, such as the installation of palm readers in Whole Foods stores.7
Biometric authentication systems can provide significant benefits to organizations and consumers. Being both unforgettable and unique, biometrics are often fast and easy to use, quickly providing trustworthy positive identification.
Stronger security
Passwords and ID cards are easier to steal than fingerprints, whereas copying an iris scan or other physical marker is extremely difficult for a hacker (except maybe in the movies).
This is not to say that biometric security systems are perfect. False rejections—when a system wrongly denies a user access—can still happen. False acceptances can also happen, when systems allow the wrong users in.
Some less sophisticated biometric systems can have vulnerabilities to spoofing, such as facial recognition systems that can be fooled by printed photos or prerecorded videos, whether of real people or deep fakes.
Ease of use
Because biometric authentication relies on a physical aspect of a person, that identification is always available. A palm print remains at hand, while a chipped ID card might be misplaced and a complicated password can be forgotten.
Fast identification
Users might be able to log on to equipment, such as a bar code reader in a retail environment, more quickly using biometrics. It generally takes less time to scan a fingerprint than it does to enter a passcode.
Biometrics can also be more secure than passcodes, which are often as simple as “1111111” on shared equipment in retail and similar environments.
Resources
Learn about the customer identity and access management (CIAM) landscape and current trends in the market.
Discover how to reduce the complexity of identity management with IBM’s product-agnostic approach to identity fabric orchestration.
Get a clear definition of identity fabric and learn how an identity fabric enables continuous control and visibility.
Data breach costs have hit a new high. Get essential insights to help your security and IT teams better manage risk and limit potential losses.
Footnotes
1. DynamicLip: Shape-Independent Continuous Authentication via Lip Articulator Dynamics, arXiv, 2 January 2025.
2 Navigating the Challenges and Opportunities of Synthetic Voices, OpenAI, 29 March 2024.
3 The Fingerprint Sourcebook, US Department of Justice, July 2011.
4. How Fingerprinting Works, HowStuffWorks.
5. Some identical twins don't have identical DNA, ScienceNews, 7 January 2021.
6. US Adult Perspectives on Facial Images, DNA and Other Biometrics, National Library of Medicine, 30 March 2022.
7. I tried paying with my palm at Whole Foods by using Amazon's futuristic scanners. It was scarily convenient, Business Insider, November 2023.