The Main Concerns with Biometric Authentication

Part of my job is to coordinate technical specifications for mobile app development projects with the customers. In the process, I often hear the same question: can we authenticate with the application using biometrics, such as face or fingerprint recognition? There are several perspectives in this regard, but none of them are promising.

In this article, I would like to explain comprehensively why biometric characteristics don’t work for authenticating with information systems, and why they do work on personal devices.

Although we live in the age of Big Data, we still cannot ensure accurate biometric authentication via backend services. The main reason simply comes down to the volume of data.

The thing is, the commonplace username-password combo tends to be 30-60 characters long, which is a negligible amount of data to transmit over the Internet. As opposed to this, a fingerprint scan of decent quality is quite a bit of information for the system to send. If you compare it to black-and-white images, the size of a 1024×1024 image with, say, 8-bits-per-pixel color depth, is multiple times larger than the standard username-password combination. When facial recognition is in place, the volume gets even bigger.

However, the process of submitting that much information isn’t the main hurdle. The biggest obstacle is that we need to upload the fingerprints of all users to the backend server’s memory in order to ensure accurate authentication. If we’re talking about a thousand users, that’s theoretically feasible. When it comes to a million users, though, things don’t appear nearly as trivial even for a powerful backend.

Some people will argue that hashing could be the response to this challenge, because it allows you to transform any data entity into a shorter value of fixed length. Unfortunately, the hashing tactic brings us to another issue that will (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by David Balaban. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/Ee7O7Ab-CYc/