ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Methods of Biometric Authentication

Updated on January 20, 2018

Methods of authentication involve verifying the identity of an individual. The verification is usually obtained by the individual demonstrating something he knows, something he has, or something he is. The most traditional forms of authentication rely on the individual providing a username combined with a password, thus demonstrating something the user knows.

Biometric authentication methods are gaining popularity since hacking techniques have rendered traditional authentication methods ineffective. Combinations of usernames and passwords may be easily compromised using dictionary attacks or rainbow tables. Biometric authentication methods do not produce hashes of user input, which makes capturing and decoding user input all but impossible.

Biometric Types

Biometric authentication relies on demonstrating something the individual is rather than something the individual knows. This renders biometric authentication less prone to an attack through duplication than traditional authentication methods. There are essentially three types of biometrics, which include physical biometrics, behavioral biometrics, and cognitive biometrics.

Physical Biometrics

Physical biometric systems are by far the most common. Most marketed physical biometric systems scan an individual in some manner for distinguishing characteristics. These scans essentially create images of the “individual's fingerprints, hands, face, iris, or retina” (Reference for Business, 2011). Physical biometric scanners make up roughly 86 percent of the biometric market.

Iris scanning measures the most stable individual characteristic because an individual’s iris pattern does not change from the time of birth. However, iris and retinal scanning require the individual’s eye to be in very close proximity to the scanner so people tend to prefer other methods. This may explain why iris and retinal scanners have not overtaken the market.

Whichever type of physical characteristic a biometric system measures, the end result is to create a template of an authorized individual’s biometric characteristics through a computer analysis of the scans. The template, which is a very large alphanumeric key, is created when the individual enrolls in the system. Future authentication scans are then compared to the template and access is granted or denied according to how closely a future scan matches the template (Reference for Business, 2011).

Behavioral Biometrics

Behavioral biometric authentication relies on measuring an individual’s voice patterns, signature characteristics, or typing style. Behavioral biometrics effectively “substitutes ‘the way you do something’ for ‘something you are.’ (Electronic Payments Week, 2005, p.1). Voice patterns can be easily captured and are unique between individuals. A problem with using voice patterns is that background noise may influence an individual’s attempt to authenticate into a system and create a false negative or block an individual who should be granted access.

Typing characteristics and signature dynamics are much more reliable measures than voice recognition because there is no background noise problem. Typing characteristics measure how someone types. The measured characteristics are the dwell time and flight time while typing a particular phrase. Dwell time is the amount of time that a user’s finger remains on a particular key while typing and flight time is the amount of time a user takes when moving between keys. When a user sets up an account, the user is prompted to type a particular phrase several times. The system measures the characteristics for the user while the user types that particular phrase. The user later types the same phrase while authenticating.

Biometric authentication based on signature dynamics work in a similar manner. “A new user can sign his or her signature several times, and the system measures things like pen pressure and pen speed, thus making that signature impossible to forge as far as the authentication system goes” (Electronic Payments Week, 2005, p.1). This method of authentication is simple for the user and provides a reasonable amount of certainty that the user is who he or she claims to be because not only must the signature match the individual’s signature but the signature must be signed in the same way.

Cognitive Biometrics

Cognitive biometrics is relatively new to biometric authentication. Simple forms of cognitive biometric authentication cause an individual to relate something from the past. Security questions for certain forms of Internet access rely on this form of cognitive biometric authentication, which causes a user to think. However, this simple form of cognitive biometrics presents some of the same problems as password authentication; a shoulder surfer could watch an individual answer the questions then duplicate those answers in the future.

Avalon Biometrics (n.d.) presented a more complex form of cognitive biometrics, which had a patent granted for an interface between an individual’s brain and a machine to measure cognitive responses to tasks.

A pattern of blood flow velocity changes is obtained in response to a set intelligence task, which is used to form a 'mental signature' that could be repeatedly recognized, in an automated man-machine interface system. The system is designed to go beyond passive recognition, but rather to set a desired level of 'mental performance', before access is gained into the system. (Avalon Biometrics, n.d.).

This form of cognitive biometric creates a signature based on an individual’s thought patterns, which would likely be the most difficult patterns to duplicate.

Biometric Concerns

Concerns of disembodied fingers used to circumvent fingerprint scanners were prevalent in the early days of biometrics and are still concerns today although technology has improved significantly since those early days. Incorporating temperature sensors in fingerprint scanners can help prevent a cold finger from being used to gain access. Bayly, Castro, Arakala, Jeffers, and Horadam (2010) mentioned the possibility that “Fake biometrics like gummy fingerprints, face masks or pre recorded voice could be presented by attackers at the sensors of a system” (p. 69). These possibilities would require manufacturers to include mechanisms to ensure that the biometric credentials originated from the presenter.

Building public confidence in biometric authentication methods posed serious problems to the biometric authentication system’s industry. Charndra and Calderor (2005) related the concerns of activist groups that claimed that biometrics are intrusive and provide for even greater reductions in personal privacy and liberty. “Unlike conventional identifiers (such as passwords and tokens), biometrics are inextricably linked to a specific person and cannot be changed, replaced, or modified” (p. 104). In the present age, individuals seem somewhat more likely to trade some privacy for security but the likelihood of the continuation of this trend is in question.

A final concern of individuals toward biometrics involves the central repositories used by the systems. Electronic Payments Week (2005) suggested that these repositories may be hacked into by an intruder. Such actions would devastate businesses and individuals alike; “opening consumers--and businesses—to having all their assets stolen from all their accounts, instead of from just one” (p. 1).

Biometric Effectiveness

The effectiveness of biometric systems is tied to the ability of the systems to distinguish between samples from a given population. Biometrics do not provide for an undisputable determination. Charndra and Calderor (2005) stated “the literature defines biometrics as distinguishable (rather than unique) physiological and behavioral traits that may be used for identification and authentication” (p. 195). The definition provides that when a biometric sample matches a template the identity is considered a probable match, not an indisputable identification.

There are two stages to biometric authentication. The first stage is enrollment, when an individual registers with the system and creates the biometric template. The second stage is verification, when an individual presents a biometric scan to compare with the template. An individual could experience a problem with the scans during either stage. DigitalPersona promotes a fingerprint scanner that the company claims maintains a 90 percent success rate for enrollments and a 100 percent success rate for verifications. This means that 10 percent of the population experiences problems enrolling with the system.

Jain and Ross (2004) claimed that multibiometric systems, those employing more than one type of biometric scan, increase the effective likelihood that a probable match is in fact a true identity by matching more than one characteristic. These systems also reduce the possibility that an individual could successfully spoof the identity of another individual. An intruder attempting to use a finger mold would also need to copy another trait, such as the victim’s writing dynamics.

Charndra and Calderor (2005) stated that another limitation to the effectiveness of biometric devices is the degrees to which those devices are able to make probable matches after natural occurrences such as aging. An older person’s physical characteristics change with age and biometric devices must be able to match templates with samples even after these changes occur. Similar situations arise after certain types of surgery that alter appearance or accidents involving the loss of a limb. The alternative to biometric systems that cannot adapt to these changes would be to require the subject to reregister with the system after such changes occur, which would increase the cost of ownership.

Cost to Implement Biometrics

The most common available hardware based biometric systems include fingerprint scanners and iris scanners. Software biometric systems include those that measure typing dynamics and signature characteristics. The cost to implement these systems depends on the type of system, the location of the system, and the number of users.

Centralized deployment of a fingerprint scanner would cost around $1200 for the DigitalPersona U. are U. scanner (Grotta, 2001). One security enhancement of this model is the device’s ability to encrypt an image while the image is acquired. Other devices send an un-encrypted image to the connected computer and require the computer to encrypt the image. Confidentiality should require an image to be encrypted before transmission to prevent tampering. Fingerprint scanners such as this are good choices for physical access control mechanisms.

Biometric Protection from unauthorized access to desktop computers has traditionally been accomplished using fingerprint scanners, such as the one mentioned above. These scanners can be cost prohibitive on a large scale. However, Yang (2002) described the Panasonic Authentication Iris Recognition Camera, which was designed for desktop authentication. The list price for the device is $239 or just over a quarter of the cost of the U. are U. fingerprint scanner. The declining cost of desktop computers combined with the low cost of this iris recognition technology should put desktop authentication on the plate for every major corporation.

Network access may now be affordably protected using software based typing dynamics with BioPassword 4.5 from NetNanny, “which tie a unique physical characteristic to an individual's network account to provide positive user identification. BioPassword links the specific typing style and patterns to a user's password for a flexible and secure solution” (Monro, 2001). Net Nanny offers a tiered pricing structure for the software ranging from $100 for a 50-user license to $40 for a 4,000 user license.


The traditional method of authentication, which uses a username and password to demonstrate something you know, no longer provides adequate protection to the confidentiality, integrity, and availability of organizational information assets. Passwords are easily compromised through brute-force methods or simply through observation. Another form of authentication is needed to provide adequate protection to information assets and systems.

Biometric authentication methods are replacing the traditional authentication methods to provide more adequate protection. There are three types of biometric authentication, which include physical biometrics, behavioral biometrics, and cognitive biometrics. Biometric authentication methods replace something you know with something you are, in the case of physical biometrics; or with something you do, in the case of behavioral or cognitive biometrics.

Although biometric authentication systems may effectively provide better protection for information systems, there are certain valid concerns that are slowing down the wide-spread implementation of these systems. These concerns include the possibility that a biometric authentication system may grant an unauthorized person access to systems or that the central repository of biometric templates may be compromised. However, improvements in the technology and the introduction of multibiometric systems are gradually leading the public toward acceptance of the technology.

The cost to implement a biometric authentication system depends on a number of variables, such as the location of the devices and the number of users. However, matched with the commodity-like cost of desktop computers, biometric authentication systems are becoming more affordable for organizations of all sizes. The low cost of protecting information systems and network transactions using biometric authentication methods should provide an incentive to implement this type of solution.

  • Bayly, D., Castro, M., Arakala, A., Jeffers, J., & Horadam, K. (2010). Fractional biometrics: Safeguarding privacy in biometric applications. International Journal of Information Security , 9 (1), 69-82. doi:10.1007/s10207-009-0096-z
  • Chandra, A., & Calderor, T. (2005). Challenges and constraints to the diffusion of biommetrics in information systems. Communications of the ACM , 48 (12), 101-106. Retrieved from EBSCOhost.

  • Jain, A. K., & Ross, A. (2004). Multibiometric systems. Communications of the ACM , 47 (1), 34-40.


    0 of 8192 characters used
    Post Comment

    No comments yet.


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
    ClickscoThis is a data management platform studying reader behavior (Privacy Policy)