Biometrics – SY0-601 CompTIA Security+ : 2.4

There are many ways to authenticate someone based on a biometric feature. In this video, you’ll learn about fingerprint scanners, retinal scanners, voice recognition, and more.

<< Previous Video: Authentication Methods Next: Multi-factor Authentication >>


A biometric authentication factor refers to something you are, this would be something like a fingerprint. For example, fingerprint scanners can be found on phones, on laptops, and to access doors of data centers and other facilities. You might also use the retina that’s inside of your eye as a biometric authentication factor. The retina is these capillaries that are in the back of your eye. They are a relatively unique feature of your eye and they don’t often change, making them a very good biometric factor to use for authentication.

We can also use the iris of our eye as an authentication factor. That’s in the front of our eye, and there’s usually specific textures and colors associated with your iris. Our voice makes for a very good authentication factor, so we might have to say something to be able to gain access using voice recognition. And if you have a mobile device you may be using facial recognition, the camera in your phone looks at the face of whoever’s holding the phone, and is able to either allow or disallow access based on those facial features.

A biometric factor that’s rarely used, but is relatively accurate is a gait analysis. This examines the different characteristics that someone has when they’re walking. Everyone has a different way of walking, and gait analysis will be able to measure those differences and determine one person’s gait versus another. And similar to retinal scanners where we were looking at capillaries in the back of the eye, we also have vascular scanners that can look at veins that might be in our arms. This can look at the blood vessels in our extremities, and determine who a person is based on the unique layout of their veins.

Using biometrics as an authentication factor is an uncertain science. There are differences in users, there’s differences in the sensitivity of the readers that we’re using for biometrics, so we have to spend some time to make sure that the sensitivity levels are providing us with the correct access for our users. One of the metrics you would examine to determine how well your biometrics are working is a false acceptance rate, or an FAR. This is how often your biometric system will approve an unauthorized user by looking at these biometric values. This is obviously not something you would want to have happen on your network, so it’s common to increase the sensitivity of the biometric reader so that you can decrease the false acceptance rate.

On the other end of the spectrum is the false rejection rate, or FRR. This is someone who is authorized to get into the system, they put their finger on the fingerprint reader of the biometric system and instead of getting a green light, they get a red light. Even though they are authorized, they are now rejected from that biometric reader. A large number of false rejections can frustrate users, and it can prevent people access into places where they are authorized to go. So it’s common to decrease the sensitivity of the biometric system to reduce the number of false rejections.

Somewhere in the middle of those two is a sweet spot that we call the crossover error rate, or CER. This is an area where we have minimized the number of false acceptance rates, and we’ve minimized the amount of false rejection rates, and effectively gotten both of those down to an equal level. There’s obviously some measurement between these two values that would work for your organization, and it’s up to you to adjust the sensitivity of your biometric system to find that correct setting.

Here’s visually how this might work, we have a number of errors increases on the y-axis, and the sensitivity levels are changed on the x-axis. If we have low sensitivity, then we might have a number of users gaining access to the system who are unauthorized. That is a false acceptance rate. And the less sensitive we are, the higher that false acceptance rate. If we increase the sensitivity, it now becomes more and more difficult for an authorized user to gain access because they keep getting rejected with the false rejection rate. So as we change the sensitivity to be somewhere in the middle, we’ll get a crossover error rate, or CER, where the FAR and the FRR meet right in the middle.