What is finger vein biometrics?
Finger vein biometrics identifies a user based on the vein patterns in their fingers, which are unique to every person. It is also known as vascular biometrics, as the identifiable information is from the blood vessels beneath your skin. The magic behind it is that the haemoglobin — the iron-containing protein we all have in our blood — changes colour when it is exposed to near-infrared light or visible light. As a result, the reader can scan the user’s unique pattern of veins. The vein pattern is digitised, encrypted and securely stored on server side.
How does finger vein biometrics work in practice?
While all this sounds amazing, how does it work for a real person in a real situation? Let’s say Sarah wants to make a money transfer online. As with all biometrics, the first step is enrolment, which consists of reading your hand and storing that encoded information in a database (server side). I’ll point out here that your finger vein pattern is never stored – only a mathematical representation of it. From then on, Sarah will just wave her hand in front of a webcam to authenticate to the internet service and complete the money transfer. Simple and secure.
Finger vein biometrics has been in use for more than a decade for access control systems (people entering a building) and at ATMs (people withdrawing money), though in both cases by using a near-infrared reader device. When the world became as connected as it is today, finger vein biometrics proved its versatility and brought all its power to identify people on internet services.
Internet services can use finger vein biometrics either as the main authentication method or as a second factor method (multi-factor authentication/MFA). An example of MFA would be a user signing in with a password or social media login (first factor), but also needing to complete finger vein authentication (second factor) in order to gain access, increasing security.
Main benefits of finger vein biometrics
Finger vein biometrics also has numerous further benefits; these are the ones that I consider to be the top five:
- No special hardware required. (Again – specific to Hitachi VeinID Five.) The 720p camera you have in almost every smartphone or laptop is sufficient to read your vein patterns, saving a lot of money for people and organizations compared to requiring any specialized reader hardware.
- Finger vein patterns are perennial. Finger vein patterns remain the same for many years; they don’t usually change. As a result, users don’t need to re-enroll down the line.
- Personal data is never stored. In these times of many data breaches and cybercrimes, it is critical that personal data is well protected. Finger vein biometrics handles only a mathematical representation of the personal data (finger vein pattern). This information is securely transmitted to the identity repository (CIAM system) and stored encrypted. No data is stored on the device, so if the device is stolen your biometrics are safe.
- Unlikely to be forged. As the captured image of the finger veins is never stored, nobody can steal, copy and forge your unique pattern to impersonate you. This is very different to a password, which can easily be guessed/stolen.
- No physical contact needed. Unlike fingerprint biometrics, there’s no need to touch any surface. Authentication is complete with a ‘wave’ to the camera. Finger vein biometrics is a hygienic method for today’s Covid and the post-Covid world.
Finger vein biometrics vs. fingerprint biometrics
So how different is finger vein biometrics to fingerprint biometrics? You might be thinking, my smartphone or laptop already has a fingerprint reader, and a few mobile apps already use it to authenticate me; isn’t the problem already solved?
Certainly, fingerprint authentication is already available both in mid-range smartphones and in high-end laptops. But although fingerprint biometrics also reads biological traits of our fingers, the method is much less reliable. Let us analyze this from three perspectives:
- Fingerprint biometrics is controlled by the device manufacturer (e.g. Apple, Lenovo, Samsung) and not by the application or the authentication service. Applications have to trust whatever the phone or laptop sends as the authentication response. The company or organization that owns the application does not have any control of the reliability of the verification. Contrastingly, finger vein biometrics are tied to an individual and not a device (and therefore can be used across multiple devices).
- Built-in phone biometrics were designed for convenience, not for strong security. The accuracy of biometrics methods can be measured and fingerprint recognition shows a high false rejection rate (FRR) and low false acceptance rate (FAR). In contrast, finger vein biometrics has both a superior FRR and FAR.
- Fingerprints can be forged – easily copied and later used to impersonate an individual. When a person touches a surface, their fingerprint is often left behind and criminals can copy it in order to steal the person’s identity. These leaks are not possible with finger veins, which again makes the duplication risk (and therefore unauthorized service access) extremely low.
Finger vein biometrics use cases
As of 2021, many internet services still lack a secure and convenient way of identifying users. The market needs a solution like this. Nearly every person now has a mobile phone with 720p camera (or better!). That’s a massive advantage for finger vein biometrics.
Finger vein biometrics is a formidable authentication method. However, its full power is unleashed when combined with Customer Identity and Access Management (CIAM). Let’s review three of these real-life scenarios.
Use case 1: Confirm a payment
A lot of financial services now have mobile apps. With many, you can open an app on your phone and quickly authenticate yourself by means of a password, or with your social media login. This is convenient to quickly check your account balance, or check if a refund has been credited etc. However, if you’re going to complete a higher-risk transaction – e.g. transfer money or make a big payment – you want to make sure that this is secure. Such a transaction requires stronger authentication than your password or social media login, so you can ‘step up’ the authentication to require finger vein biometric authentication at this point only. This reduces friction for simple tasks, while better securing high risk tasks.
Use case 2: Identity delegation
In this scenario, an administrator user gives power (delegate authority and access/rights) to another user to accomplish a task or take over a role. But before the second user takes this power, they have to prove their identity using strong authentication. This is where finger vein authentication comes into play. A remote employee receives an invitation to take the role of ‘purchasing assistant’ in an e-commerce service. They will first use finger vein biometrics to enroll in the system, then in the future they will complete purchases (according to the level of rights delegated to their identity) by holding their hand up to the camera and authenticating with finger vein authentication.
Use case 3: Single Sign-On (SSO)
Today it is very rare that an organization has just one internet service. The opposite is commonplace: many web services and mobile applications from one organization. Using single sign-on with finger vein biometrics would allow users to seamlessly use SSO to easily switch between a financial planning application, an e-commerce site and another application without a new login. They don’t need a different set of credentials for each service. SSO is particularly powerful for financial services as it allows customers to be strongly authenticated and ready to access several services with one authentication.
Try finger vein biometrics for yourself
Overall, finger vein biometrics is a reliable and convenient authentication method that beats fingerprint biometrics and other authentication methods.
Our showroom address:
601 MacPherson Rd, #05-01 Grantral Complex, Singapore 368242
Operating Date & Hours:
Weekdays: 9 am to 6 pm.
Saturday: 10 am to 5 pm (required appointment)
May check out our finger vein recognition digital door locks: https://www.fullsmart.com.sg/collections/finger-vein-recognition-digital-lock
Santolalla O, Santolalla O. The ultimate guide to finger vein biometrics: VeinID. Ubisecure Customer Identity Management. Published online March 30, 2021. https://www.ubisecure.com/authentication/finger-vein-biometrics/