How Biometrics Provide an Amazing UX, But Fail Too Often

Biometrics and UX

Imagine a world with no codes, passwords, tokens, cards, keys, or trips to physical departments in order to complete a simple task — while safety breaches happen at the lowest rate ever.

Sounds perfect… too good to be true, in fact.

Biometric tech has an aura of mystery and omnipotence. This image is cultivated in futuristic movies like Minority Report, Gattaca and Demolition Man. It’s not a sci-fi fantasy, though — around 62% of companies already use biometric authentication. Another 24% plan to deploy it within the next two years, according to a survey by Spiceworks.

We have weighed the security and UX biometrics to show that this kind of technology isn’t all that it’s made to be.

The stunning side of biometrics: marrying UX and cybersecurity

What makes this advanced technology so sought after is an incredible amalgamation of elevated security standards and accessibility that raises satisfaction levels among end-users.

Never having to memorize a password again

In order to memorize multiple passwords, people resort to highly unsafe practices, such as writing them down, keeping them in their phones or wallets, or using the same password for every account they own and manage. If they happen to lose or forget their passwords, the safer the whole recovery system is, the harder it is to regain access to the accounts.
Using a biometric authentication system completely eliminates passwords from the process, replacing them with voice, body parts, and various behavior patterns that are at hand 24/7.

No typing needed

Typing in those passwords seems easy enough — provided that you managed to memorize them.

What about all the times when that’s inconvenient?

Getting back from the store with your hands full of groceries, being injured, or disabled. These are common scenarios, and they prove that having the option to use a voice command or eye scan can be very handy in everyday life.

Less than a second to get through

Biometric authentication devices are not only convenient but very fast as well. Users can log in lightening-fast, simply by providing their voice, face, finger, or another body part for the device to perform the authentication.

You don’t need to reload the login page in the case of unstable network connection and then type the password again, wait for the SMS code to arrive, or perform any similar action. Everything is done instantly by another device.

A bulletproof layer of safety

Biometric technology uses the identifiers unique to a single user only to provide exceptional safety. Fingerprints, facial recognition, voice, or behavioral patterns such as typing cadence are tied to one person and cannot be imitated.

Users get another layer of safety as well. Nobody can spy, peep, steal the password while you type it in, or take the token away from you.

When biometrics fail to deliver

Biometric technology certainly provides us with fantastic user experience while raising security standards to another level. Still, to say that it’s a faultless system would be far from true.

Recalling the fantastic biometrics in Gattaca and all the ways Vincent (played by Ethan Hawke) managed to outsmart the scanners suggests that even the most complex, advanced tech can be fooled — sometimes more easily than you could imagine.

At the same time, there are instances when using biometrics to secure confidential data isn’t all that smooth and fast. Multiple system errors occur regularly, all of which raise serious questions about cybersecurity in the future.

Biometric hacking is cheaper than you might think

Take a guess how much it would cost to break into the phone of the most powerful person in the United States.

For one team, hacking a fingerprint and breaking into its owner’s phone cost just about $140 (but we suspect the costs of getting caught hacking a powerful person would be much higher).


Well, you shouldn’t be! Not only do people leave their confidential information available, but they do it with their biological traces as well. By that we mean fingerprints: we leave them unwillingly, and one need only be moderately creative to think of many ways to acquire them.

Fingerprint cloning can be done with nothing but a single phone with a good camera and the right app. At this year’s hacking event in Shanghai, Tencent Security‘s X-Lab team leader Chen Yu took a photo of a fingerprint on a glass, ran it through their new app, and extracted the data that enabled him to make a physical version of said fingerprint in about 20 minutes!

And it turns out that cracking the ultrasonic fingerprint sensors people use to lock their phones is even cheaper.

Lisa Nelson from the UK had no idea that anybody could unlock her Samsung Galaxy S10. She found out that her £2.70 screen protector from eBay enabled any fingerprint to unlock the phone and access the sensitive data.

Samsung officials promised to strengthen the security and enhance the biometric authentication but asked users to refrain from using these types of phone covers before they release a software update.

Fingerprints aren’t the only weak link — everything is hackable!

In addition to creating fingerprint clones on thin silicone or rubber sheets, other biometric recognition identifiers are hackable too. Facial recognition, for example, can be beaten with 3D-printed masks, and the iris can be cloned.

Biometric errors that ruin the UX and affect the safety

Tech companies work hard to make biometrics scanners increasingly sophisticated each day so the chances for errors are closer to zero – but they still exist.

There are two types of errors that occur when biometrics fail. Type I ruins the UX, and Type II, which is more dangerous, compromises user privacy.

False rejection (Type I error)

In the instance of false rejection, biometric security systems fail to recognize the authorized user and reject that person as an impostor.

This might happen due to system failures, but false rejections often happen thanks to more simple obstructions. These include scratched scan surfaces, cold/greasy/damaged fingertips, slight changes of voice, or shaky body parts and devices.

The probability of false rejection errors is called false rejection rate (FRR), or false non-match rate (FNMR) — and the higher it is, the less reliable the system is. This is one of the most important specifications of a biometric system, expressed as a probability. For example, if the FRR is 0.05%, one in every 2,000 users on average will experience a Type I error.

False acceptance (Type II error)

False acceptance is an error that occurs when the biometric system mistakenly recognizes the unauthorized user as an authorized person.

It is considered a lot more dangerous than false rejection, as it gives unauthorized people access to classified personal data. Since the consequences are more serious than with Type I errors, the false acceptance rate (FAR) is even more important a statistic than FRR.

Privacy concerns

The General Data Protection Regulation (GDPR) addresses biometric data usage and works well to protect the citizens it applies to — but in the US, there is no comprehensive federal law regulating biometric data collection, usage, and storage.

There are some exceptions, though. Illinois was the first state to pass a specific biometric privacy law, followed by Texas and Washington. The Illinois Biometric Information Privacy Act (BIPA) from 2008 states that:

  1. Businesses must achieve informed consent before collecting biometric data and protect and retain it according to the statute; they may not profit from such data and have limited rights for disclosure;
  2. People harmed by a BIPA violation can sue for $1,000 per negligent violation. Alternatively, they can sue for $5,000 per intentional violation through a private right of action.

There are a number of additional rules that roughly regulate this area. However, there’s no such thing as a complete set of regulations, and existing laws often overlap or contradict each other.

This leaves far too much space for violation of privacy.

Unethical advertisers covertly sell sensitive data to tabloid journalists, stalkers, criminals, repressive governments. Once the data gets into the wrong hands, the possibilities for privacy invasion get harrowing. The outcomes are far more alarming than being bombarded with annoying targeted ads.

Compromised data cannot be changed!

While it’s debatable that biometric verification is the closest thing we have to perfection when it comes to security, with all of the flaws it possesses, another important question is:  how dangerous it really is to have your biometric data compromised?

Fingerprints, iris/retina, palm prints, voice — these physiological characteristics are unique to each user. Once compromised, they cannot be changed as we do with passwords, codes, and tokens.

This has serious implications even after a breach happens just once: those innate characteristics can never be used safely for authentication again, and the people whose data is stolen are susceptible to identity theft.

You can still maintain both great UX and exceptional security standards!

While employing biometric authentication has its drawbacks, it should not be dismissed. It is easy to enhance security by making it a part of two-factor authentication.

This drastically improves the safety, but still takes a bite of the UX in turn — and failing to meet expectations in terms of good user experience might cost you too much.

That is where IPification jumps in to help you balance safety and convenience without having to sacrifice one for the other.

More on our blog