Prof. Steven Furnell FBCS and Prof. Nathan Clarke FBCS, from the University of Plymouth, examine the rise of biometrics in modern society, with particular focus upon the potential to ease the authentication burden on mobile devices.

Biometrics are now an everyday technology in the lives of millions. The journey hasn’t been quick, but many of us have now used biometrics in practice, whereas just a few years ago they were still the stuff of science fiction and James Bond movies for many people.

A key rationale for biometrics is ease of use. You can arguably get all the security you need from a (correctly used) password, but they are increasingly impractical, and we need usable alternatives. Linked to this, the most prominent growth of biometrics has been on mobile devices, with both leading platforms now supporting them.

There is an increasing need to protect these devices, and many of us are disinclined to use passcodes (due to the inconvenience of entering them all the time). Integrating biometrics makes the process easier and quicker.

Biometrics on the move

Android devices have offered a wider range of biometrics for a longer time, with face, fingerprint, iris, and voice-based methods all available from various manufacturers. iOS meanwhile, supports only fingerprint and face (termed Touch ID and Face ID respectively), and currently doesn’t host both within the same device. Nonetheless, the introduction of biometrics on Apple’s devices presents a good illustration of the mainstreaming of the technology.

In the four years since Touch ID debuted on the iPhone 5s (when it was the only iOS device to have it), biometrics have spread across all iOS devices. Indeed, at the time of writing, all eight current models of iPhone and all four models of iPad offer biometrics.

So, from initially appearing only on a premium handset, biometrics have become a standard feature. In addition, their use has extended beyond simply accessing the device - and many now use them routinely to authorise payments via technologies such as Apple Pay.

For the purposes of this article, Apple’s two implementations provide an interesting basis for discussion and comparison. From a security perspective Face ID is stronger, with Apple suggesting that the chances of a false match are 1 in 1,000,000, as compared to 1 in 50,000 for Touch ID.

In addition, it is less vulnerable to misuse. For example, while your fingerprints can be used while you’re asleep, Face ID detects attention and ensures that the device doesn’t unlock unless you’re actually focused upon it (which also prevents basic photo-based spoofs that fooled earlier Android implementations of face unlock).

Additionally, in contrast to many implementations of face recognition, Face ID also works in darkness, with the infrared-based ‘Flood Illuminator’ doing the work, and so doesn’t rely upon external lighting or illumination from the phone screen as a light source.

While it is certainly a strong implementation of face recognition on a consumer-grade device, whether it is better than Touch ID is arguably a matter of personal preference. Face ID has the advantages that you can wear (touchscreen-compatible) gloves again, and that it works well in the rain - addressing two practical limitations often encountered with Touch ID. On the downside, you can’t generally unlock the phone without picking it up.

While this initially doesn’t seem much of an issue, it quickly highlights the number of times you try to use the phone without directly looking at it (e.g. while the phone is beside you on the desk, while you’re lying down, or when trying to take a sneaky glance during meetings!), or when trying to activate the phone while doing other things (e.g. taking a drink). Touch ID copes perfectly in these situations, but Face ID fails to acquire a biometric sample because the camera simply can’t see you properly.

So, by comparison this (still highly usable) method feels less transparent. It’s not difficult to use, but you notice it more. In addition, both biometrics may introduce issues of cultural compatibility, particularly for members of the community that may naturally cover their faces and/or hands in public.

Table: Comparing security and usability of Touch and Face ID

Table: Comparing security and usability of Touch and Face ID

Making life easier

The table compares security and usability of Touch and Face ID, along with a standard passcode approach for reference. The False Match Rate (FMR) refers to the chances of an impostor being falsely accepted as the legitimate user.

The Touch and Face ID values are based on figures quoted by Appleii, whereas for Passcode (where the notion of FMR doesn’t strictly apply), it is referring to the chances of breaking the code by guesswork before the device is fully disabled and permits no further attempts. The number presented is based on the default iOS passcode of six digits (i.e. 1,000,000 possibilities in total), with ten attempts to get the correct sequence.

Speed refers to the time required to activate the device and perform authentication. It was informed by conducting a practical assessment, involving a small group of users and timing ten consecutive authentications with each approach (the process being ten instances of: switch on; authenticate and reach home screen; switch off). The passcode was 836195, giving a consistent PIN that none of the participants normally used (although all had a chance to get used to it before being timed).

Biometrics also offer potential beyond point-of-entry (PoE), enabling re-authentication for sensitive actions. This is already done for payments and accessing particular apps (e.g. mobile banking). However, there is potential to make things even less intrusive, by collecting scans at opportune moments during normal use and then granting access totally transparently if confidence is already high enough. This moves towards a process where authentication can become continuous, particularly if different biometrics are available to source data from.

Speed becomes interesting if we consider how many times we authenticate per day. The timings would suggest that biometrics enable us to save a couple of seconds compared to using passcodes. Extrapolating further, imagine we authenticate on the phone 30 times a day - we are saving a minute in the process. So, every 60 days we’ve saved an hour of our life. And if we consider there are around 16 waking hours in the day, the use of biometrics in place of PINs means that we are saving a waking day of our lives approximately every two and a half years.

Toward the future

From a slow start, the adoption of biometrics has been dramatic. We’ve gone from being concerned about public acceptance (e.g. would we be comfortable being fingerprinted?), to a point where it surely won’t be long before biometrics are expected, and anything else is implicitly less tolerable. 

Ultimately, no biometric is perfect, but Face and Touch ID are very good implementations. The fact that one can arguably compensate for the shortcomings of the other supports the argument for a multi-biometric approach that we - and others - have previously advocated. Meanwhile, either provides a usable alternative to passwords and PINs. 

Notably, however, passwords haven’t gone away. Both Touch ID and Face ID still revert to an underlying passcode, and so if you’ve chosen ‘123456’ (which remains the most popular according to SplashData’s list of most commonly hacked passwords) then your biometric isn’t going to save you.