Many people are probably already familiar with biometric authentication in the form of fingerprint scanning technology, such as the iPhone’s Touch ID feature. However, there are many other forms of biometric authentication, and new options are multiplying in this area. SURF, the collaborative ICT organisation for Dutch education and research, asked InnoValor to research the state of the art in biometric authentication in 2016. The purpose is to be able to use it for two-factor authentication in the SURFconext identity federation. The results are summarised in this blog post.
What is possible and what is suitable for SURFnet?
To find the answers to these questions, InnoValor first conducted an extensive review of the literature and then tested the findings with biometry experts in a wisdom-of-the-crowd session at SURFnet. This provided a complete longlist of types of biometric authentication. The methods on this longlist were then assessed for a number of criteria, including the demonstrable reliability of identification, ease of use, the maturity of the technology and the availability of the requisite sensors. This list was then cut down to a shortlist of biometric identifiers, from which InnoValor eventually selected a top three for two-factor authentication within the SURFnet federation.
The longlist contained a few unusual examples of biometric authentication. One was a Japanese solution for authentication based on one’s imprint on the surface of a car seat (Butt-print authentication). Another was a pistol that can only be fired by authorised personnel on the basis of grip recognition. Perhaps unsurprisingly, these forms of biometric authentication did not make the shortlist.
Forms of continuous authentication are also of interest, given that they enable the identity of the user to be continuously verified during user interaction, based for example on behaviour or bodily functions. An example is authentication via patterns in typing behaviour (Keystroke authentication), used e.g. by Coursera to authenticate online students.
Most suitable option for SURFnet
Based on the assessment criteria, fingerprint technology is the most suitable for use as second factor for federated authentication. The second-most suitable is the lesser-known eye vein pattern recognition. Facial recognition and speech recognition are in joint third place. They are not as suitable due to limitations in reliability and user-friendly operation.
The other biometric identifiers were ruled out, either because they require special hardware, are too intrusive for users, are still too experimental or, in the case of continuous authentication, involve a longer registration process and are more privacy-sensitive.
SURFnet intends to use these results to conduct a biometric authentication pilot project. If you have any questions (or wish to take part as an institution), please contact Joost van Dijk. If you would like to find out more about biometric authentication, please contact Martijn Oostdijk.