The Origins of Biometric Authentication
Contrary to popular belief, biometric technology has been in use since the post-World War II period. Although then the methods were basic, limited, and straightforward, the general concept is not at all new. Facial recognition methods, semi-automated in nature, were developed in the early 1960s. Also, speech recognition technology took center stage in the 1980s. The first iris recognition algorithm was patented in 1994 and became a foolproof authentication method. In the 2000s, with the rise of smartphone usage and the emergence of SaaS, hundreds of biometric authentication recognition algorithms were patented and used just in the USA. Biometrics were initially implemented by large corporations and government setups that could afford to invest in the required infrastructure and computing capabilities. But the rise of the internet and SaaS industry put the biometric machine into overdrive. Use cases started to multiply and today we are in a place where passwords and usernames are starting to become obsolete.
What is Biometric Authentication?
In a nutshell, authentication is all about verifying the identity of the end user before providing them access to the application or online service. When it comes to biometric authentication, it’s all about leveraging unique and distinctive biological characteristics like fingerprints, retina scans, and other kinds of physical attributes. Validated user information is stored in the database to make this happen. There are many types of biometric authentication methods that can be used today: fingerprint scanners, facial recognition, eye scanners and voice recognition.
This is a massive shift from the traditional password authentication protocols, which created a wide range of issues, both internally and externally. A few issues that have been repeatedly surfacing due to password usage include the following
Password Fatigue: With most people using dozens of applications daily, they simply opt for the same one for all uses. The selected passwords are also usually easy to guess, making it a huge security liability.
IT Stress: Traditional authentication methods put a lot of stress on support and IT teams. Passwords need to be reset.
Forgetfulness: SaaS requires in-app freedom and less dependence on support. Unfortunately, passwords are often forgotten and need to be reset, causing a lot of frustration.
Biometric authentication is eliminating all the aforementioned risks thanks to its inherited benefits. It’s helping SaaS organizations eliminate a wide range of roadblocks and pain points to achieve added robustness and scalability.
It means not passwords, multi-factor authentication, and elevated customer satisfaction
With no passwords, hackers have a much harder time infiltrating laptops and smartphones that are protected with biometric authentication. It’s almost impossible to mimic a face or fingerprint from a remote location. Multi-factor Authentication (MFA) allows SaaS companies to now add another layer of security by combining the power of biometrics with other methods. All of this together leads to elevated customer satisfaction - simply put, biometric authentication allows users to sign up and sign in faster.
WebAuthn: Driving the Biometric Revolution
WebAuthn is basically a relatively new W3C global standard for secure web authentication that’s now supported by all leading web browsers and online platforms.
WebAuthn is the driving force behind the biometric authentication revolution and is now built into all leading tech ecosystems. It eliminates the need for passwords by using private-public key pairs (credentials). The private one is stored on the end user’s device, while the public one is sent to the server along with a random credential ID for storage. The public key is of no use without the corresponding private one, making WebAuthn very secure.
The use of biometric authentication is everywhere: Apple’s Face ID is an advanced face-recognition technology that launched on the iPhone X in 2017, something that replaced its old Touch ID fingerprint scanning system. The hardware powering this technology is the “TrueDepth camera system”, a complex system that has cameras, sensors, and a dot projector. The face is registered as a detailed 3D map that’s used for authentication. The Android OS, powered by Google, is not lagging in the biometric front. Its smartphones, tablets, and Chromebooks, regardless of the manufacturing company, are powered today by face recognition and fingerprint scanning capabilities.
WebAuthn: What to consider
Biometric authentication is indeed great for both UX and Security but there are several items which need to be considered before running to the implementation.
Collecting the user information
Biometric authentication needs to be attached to specific user information. Meaning there is no magic here. You still need to implement a proper and secured signup and onboarding flow
Fallbacks are critical
Most of the users in the SaaS space will log in to the application from several devices. Meaning that your WebAuthN implementation needs to assume that there are multiple devices for each user. Additionally, in case one of the devices is lost, there should be a proper fallback and recovery to reduce user friction.
Same device protection
In some of the applications today, we see an ability to use WebAuthN for both login and MFA. If this is the case on your application, consider making sure that the device used for the log in is not the one used for the second factor (making it actually…One factor…) as this breaks the idea of Multi-Factor Authentication
Today, self-served user management platforms can help SaaS developers implement strong authentication flows, along with other capabilities like billing and subscription management, login box implementation, and more. And it also applies to biometric authentication. As the users expect to have a seamless login experience, the mission is to help and ease their way into the app. The platforms are made so that everyone can integrate biometric authentication quickly and securely.
Written by Aviad Mizrachi, CTO & Co-Founder at FrontEgg