All about auth
March 4, 2022
From fingerprints to faceprints, asking users to present biometric credentials is fast becoming a familiar authentication protocol. In this article, we’ll cover the basics of biometric authentication: what it is, how it works, and what to consider when implementing it.
Biometric authentication is a secure, low-friction way to confirm a user’s identity and authorize access to a web-based application, system, or device. It relies on a user’s unique physical or behavioral characteristics to verify that they are who they say they are, and is one of a growing number of authentication solutions that are entirely passwordless.
Different physical and behavioral markers can be used as biometric credentials, but they must be distinguishing and measurable. Some examples of biometric technologies include:
Many biometric technologies are also paired with liveness detection capabilities. This makes it easier to determine if someone is using, say, a still image or voice recording of an authorized user to try to gain fraudulent access to a protected system.
Biometric authentication is considered an inherence-based form of user authentication–which is to say, it’s based on something users are as opposed to something they know (like a password or answer to a security question) or something they have (like a device or an SMS passcode).
It works by comparing the biometric data a user presents at login with the preset biometric template that’s associated with the account or device the user is attempting to access. If there’s a match, the user is given clearance. If there’s a mismatch, the system denies the user access.
Biometric templates can be stored and matched in libraries managed by a service provider, but that’s more common in use cases like law enforcement and building security (e.g., when an employer uses fingerprint recognition to credential workers into the office). In the world of web-based applications, biometric templates are typically stored on the user’s own smartphone, tablet, or laptop and verified locally using their device’s native technology like Apple’s Touch ID or Face ID. If the device detects a match, it sends a security token to the service provider to grant access. This local storage of the biometric on the device prevents attack vectors such as deep fake impersonations, but it also means that biometric authentication is typically not interoperable across devices unless a user has enrolled themselves independently on each device.
Convenience and ease of use is the major advantage of biometric authentication. It’s much easier for users to glance at their phone or tap a sensor to unlock a device or log in to an app than it is for them to enter (and remember) a password or request a SMS passcode every time they want access. Biometric authentication reduces friction, which, in turn, can increase user conversion and retention.
Because biometric authentication is based on a user’s unique characteristics, it cannot be lost, forgotten, or guessed. This makes it a more safe and secure authentication option vs password-based authentication, which is an increasingly insufficient means of protecting sensitive information. Additionally, biometric authentication offers best-in-class security by ensuring that a user demonstrates both possession of an original device and a unique biometric trait such as a Face ID or fingerprint.
Like any authentication approach, biometrics aren’t foolproof. Some of the potential risks and challenges associated with biometrics include:
Hackers may use an authorized user’s photo, voice recording, fingerprint replica or other form of mimicry to trick a biometric reader into giving them access. Mapping users’ faces in 3D or requiring them to say a unique phrase at every login, for example, can help mitigate this risk.
False rejections may result from changes to users’ faces and voices as they age or due to circumstances such as mask-wearing, glasses, or lighting.
Biometrics are highly sensitive data, and people are understandably wary about it being stored in centralized databases or transmitted between systems susceptible to a breach. Entities that choose to use and store biometric data need to be cognizant of these risks and develop a highly secure and transparent plan for using and protecting biometric data. As a result, it often makes more sense for app developers to use device-based biometrics for their purposes. Using Apple and Android biometric technologies allows them to avoid many liabilities, and device-based methods are becoming increasingly easy to implement.
Building a biometric login into an authentication flow can be complicated if you choose to code from scratch, or it can be relatively simple if you take advantage of a well-documented API.For web applications, our preferred method of implementing biometric authentication is WebAuthn, which is a web standard that lets app developers build solutions to authenticate users via built-in biometrics and/or specialized hardware keys (e.g., YubiKey).
With device support now at critical mass (approximately 90% of global users’ devices support WebAuthn) and the availability of new WebAuthn products designed with developers in mind, integrating WebAuthn into an app’s desktop or mobile experience has never been simpler or more intuitive. Good WebAuthn products abstract the details for developers to make it as quick as possible to implement securely, and they make it easy to build biometric logins alongside other authentication methods to support cross-device access and account recovery.
With WebAuthn, developers can meet a high level of security standard while still providing users with a lower friction login method. In contrast to other higher-security alternatives like time-based one-time passcodes (TOTP), which requires users to download a third-party app like Google Authenticator, users interacting with a WebAuthn authentication flow can simply use the familiar fingerprint and facial recognition technologies on their devices. It prevents phishing because there are no passcodes or security questions to mistakenly disclose to a hacker, and nothing is tied to a user’s phone number, which can be compromised more easily than a device.
Part of implementing a biometric login is deciding where in your authentication flow it will live. Oftentimes, a biometric login is a secondary factor in a two-factor (2FA) or multi-factor authentication (MFA) flow. Historically, usernames and passwords have served as primary authentication methods (though, increasingly, that is changing), and supporting authentication methods like biometrics have been implemented to help fill in passwords’ security gaps.
Biometrics can also serve as primary authentication factors, but given that they’re attached to a specific device, application developers should consider how users can access their account if they lose a device. This account recovery process can also be passwordless by using auth methods such as email magic links, SMS passcodes, or OAuth verifications.
If used as a secondary factor, biometric logins can be implemented at initial sign-in as part of an application-based authentication process, or it can be triggered at another point in the user journey to protect a particularly sensitive task, function, or content area within an app or online account. The latter is referred to as route-based authentication, and it is becoming a popular method of securing a system without adding undue user friction upfront. You can read about application-based and route-based authentication approaches here.
Stytch is leading the way in easy-to-implement authentication solutions that boost security and increase conversions. If you’re interested in integrating biometric authentication, check out our WebAuthn product or check out the API documentation here.