Why Passkeys Rely on Biometric Authentication

Biometric Authentication refers to a cybersecurity process that involves the use of unique biological characteristics of individuals such as irises, voices, facial characteristics, and fingerprints to verify a users identity. This process is used to authorize access to a web-based application, system, or device. In contrast to identification that asks "who are you?", authentication asks "are you who you say you are?". To access a web-based application, a users biometric information is compared against one submitted and stored in a database to determine whether the person that is attempting to log in is actually who they claim to be. On the other hand, to access a device like an iPhone or a laptop, biometric information is not stored in a database but on the device itself, which it never leaves.

The word biometric is a combination of two words: bio (human) and metric (measurement). In other words, biometrics are any metrics related to human features which make an individual different from other individuals.

Biometric data is unique to individual users, and Biometric Authentication is generally more secure than other forms of authentication. Biometric Authentication is a rapidly growing technology that can help businesses ensure that only the right people access sensitive information.

Several biological characteristics can be used as biometric credentials as long as they are distinguishable and measurable. Some popular types of Biometric Authentication technologies include:

• Fingerprint recognition: high-resolution scans to map and compare distinct ridges and valleys of peoples fingerprints. Scanners are either optical, capacitive or ultrasonic.
• Voice recognition: analyzes the unique sound characteristics, including duration, dynamics, intensity, and pitch, produced by a persons jaw, mouth movements and individual throat shape.
• Facial recognition: turns the contours and measurements of a persons face into a unique numerical code called a faceprint.
• Iris and retina recognition: uses the unique pattern of someones iris or retina i.e., the portion of color for iris scans and the pattern of blood vessels for retina scans.

Biometric Authentication works by comparing the biometric information a user presents with the preset biometric template thats associated with the account or device the user is attempting to access. In web-based applications, biometric templates are typically stored on the users own smartphone, tablet, or laptop and verified locally using their devices native technology like Apples Touch ID or Face ID. If the two datasets are nearly identical, the device detects a match, and sends a security token to the service provider to grant access. This local storage of the biometric information on the device prevents attack vectors such as deep fake impersonations, but it also means that Biometric Authentication is typically not interoperable across devices unless a user has enrolled themselves independently on each device.

Thereby, the match between the two datasets must be nearly identical but not exactly identical. The reason for this is that it is almost impossible for two biometric datasets to match 100%. For example, the user might have slightly sweaty fingers or a tiny scar that changes the print pattern.

Designing the process of Biometric Authentication requires to balance the risk of false negatives (the device doesnt recognize the biological characteristics) with false positives (the device does accept fake biological characteristics). Due to modern technologies relying on neural networks and large amounts of available data, Biometric Authentication processes are very well balanced today. For instance, the chance that Apples Face ID gets confused by scanning the faces of twins is approximately 1:1million.

If implemented correctly, Biometric Authentication can help your business ensure that only the right people have access to sensitive information and users have a convenient and easy authentication experience.

Because Biometric Authentication is based on a users unique characteristics, it cannot be lost, forgotten, or guessed. Also, in contrast to the process of entering a password, biometric information cannot be seen or observed by a third party. This makes it a more safe and secure authentication option compared to password-based authentication. Additionally, Biometric Authentication offers best-in-class security by ensuring that a user demonstrates both possession of an original device and a unique biometric trait such as a face scan or fingerprint.

Convenience and ease of use is the second advantage of Biometric Authentication. Its much easier for users to glance at their phone or tap a sensor to unlock a device or log in to an app than it is for them to enter (and remember) a password. Biometric Authentication reduces friction, which, in turn, can increase user conversion and retention.

Despite being a highly secure authentication method, Biometric Authentication still bears some potential risks if not implemented properly.

Hackers may use a photo, voice recordings or fingerprint replicas to trick biometric scanners. However, scanning faces in 3D as it is done with Apples Face ID and Windows Hello eliminate this risk.

Biological characteristics such as the face appearance or the sound of the voice slightly change as people get older. This can lead to false rejections and hence reduce the convenience for users. However, as scanners and algorithms constantly evolve, false rejections seldomly occur today. For instance, modern face scans provide reliable results even if people wear masks or glasses.

Biometric data is highly sensitive, and people are understandably wary of storing it in centralized databases or transferring it between systems that are vulnerable to a breach. Therefore, it makes sense for app developers to use device-based biometrics for their applications. Using Apple and Android biometric technologies allows them to avoid many liabilities, and device-based methods are becoming increasingly easy to implement.

In order to integrate Biometric Authentication into a web application, developers can code the flow from scratch, which is time consuming and often complicated, especially with a diverse user base with respect to devices and platforms. Alternatively, developers can take advantage of passkeys, that offer a solution to authenticate users via the built-in hardware infrastructure and technology of devices such as Face ID or Windows Hello. Passkeys rely on cryptographic processes, where the private keys that are stored on the device are protected by the Biometric Authentication technology of the respective device.

Support of devices is now reaching a critical mass (approximately 90% of global devices already support passkeys) and the integration of passkeys into native- and web apps has never been simpler and more intuitive. Good passkey solutions abstract the details for developers to make it as quick as possible to implement. Further, they enable easy to build biometric logins alongside other authentication methods to support cross-device access, account recovery and user migration.

Corbado is leading the way in easy-to-implement passkey solutions that boost security and increase conversions. Increasingly more digital first movers like eBay, PayPal, Kayak and others already implement passkeys. If you are interested in integrating Biometric Authentication with passkeys into your application, check out Corbados solutions. Sign up for a free account to get started.