Authentication – usually defined as the process aimed at proving you are who you say you are – is important in countless applications and in many aspects of our personal and work lives. Authenticating personnel, for instance, can help different types of organizations to avoid identity theft, impersonation, and resulting unauthorized access to secure facilities or sensitive data. For many services, such as banking and healthcare, it’s the customer who needs to be authenticated, to make sure they are entitled to their assets or to the treatment they expect.
There are different types of methods to carry out authentication, each with its own benefits and drawbacks. Some are more secure, some are more costly, while others are simply considered more convenient. Over time methods have evolved, and more recently biometric authentication – considered more secure and more convenient then some traditional methods – has gained traction and become more popular.
Traditional vs. Biometric Authentication
Biometric authentication methods use unique biological identifiers to verify the identity of an individual. Generally, biometric authentication is considered highly secure as these identifiers are not only unique to each individual, but also very difficult to replicate or fake.
Traditional authentication methods have a lot more room for human error, but many people are more accustomed to using them. These methods include ID cards or other identity documents, debit or credit card associated to its PIN, or human (visual) assessment.
Card and PIN
Reading a debit or credit card and keying in the related PIN is a popular authentication method, used frequently at bank tellers and ATMs, as well as for payments with POS systems used in retail. Card & PIN is moderately secure and, being part of our habits for decades, it is considered convenient enough by most users. Limits related to this method have to do with PINs which can be leaked in data breaches, and cards which can be lost or stolen. PINs can also be forgotten by cardholders, a common source of frustration.
Government-issued identity documents are usually packed with security elements, making them difficult to forge – so they may be used for authentication, or as an additional security layer to allow sensitive transactions. A document can be used for such a purpose, however, only if properly authenticated, which usually requires a software layer to check its security elements – not always visible to the human eye, or familiar to those in charge of the control. After the document is blessed as (likely to be) authentic, a matching step will follow, related to the holder’s picture or to another biometric element (e.g. fingerprint). A document alone will not be sufficient for authentication: either a person or a trusted piece of software needs to provide a degree of certainly that the document corresponds to the holder.
Since sufficiently robust security steps are not always in place in the institution accepting documents for authentication, oftentimes the organization requests multiple pieces, which may pose a physical security risk and challenge customer satisfaction.
Last but not least, visual inspection, which is often the only form of control institutions apply to identity documents, is very prone to errors, making it relatively easy to get through with a legitimate-looking fake document carrying the photo of the fraudster. Humans can make mistakes and allow access to the wrong individuals, and personnel in charge of visual inspection is not always properly trained on the security elements they need to be on the watch for.
Biometric authentication is highly secure and usually perceived as convenient by the customer, although it normally does require an enrollment phase which may be perceived as a burden. It’s demonstrably very difficult to forge biometric identifiers, and biometric solutions can be quickly deployed to be autonomously operated: this reduces the chance of human error and greatly diminishes the chance of forgery and fraud. This method can take a number of forms (fingerprint, iris, voice, vein patterns, face scans, and more), it can be set up rapidly, and carries reasonable training requirements. Users tend to support it because instead of needing to memorize a PIN or keep track of personal identifiers, they can simply place their finger(s) on a pad or gaze into an eye scanner or camera.
Still, some customers will not be happy about being forced to adopt a radically new authentication method when they are comfortable with one they’ve been using for a long time, and this can suggest organizations to lean towards solutions which allow a gradual migration vs. an abrupt top-down overwrite.
There are many situations where authentication is an unmissable process to prevent fraud, identity theft, and unauthorized access to physical spaces or valuable data. Much of our financial infrastructure relies on these methods day in and day out to keep people safe and avoid financial crimes – as do commercial entities, academic and healthcare institutions and other industries.
While each authentication method carries its own benefits, disadvantages and risks, the in-depth understanding thereof and their measurement against the required investment and security needs is what organizations need to do to make the most balanced and appropriate choice.