February 1, 2016 — Physical Biometrics Aren’t Effective in Web Commerce
Using a single physical biometric data point to authenticate a user is no different than adding a second, static password. Robert Capps, VP of business development at NuData Security, explains why using non-identifying behavioral biometrics are more secure and more consumer friendly.
Forced to find effective ways to authenticate customers, companies are evaluating physical biometrics for web passwords. But in the mad rush for alternatives to fight account takeover, could we be making the problem worse?
Physical biometrics works best when the person being authenticated has physically presented themselves to the authenticating party, but these same biometrics quickly lose effectiveness in an online world.
Why? Because using a single biometric data point to authenticate a user is no different than adding a second, static password. In a way, in certain scenarios, they could be worse: a stolen or leaked password can be reset, your fingerprint cannot.
High-quality reproductions of a fingerprint (a static image) or a recorded heartbeat (a set, basic pattern) can be captured and reused. And can be stolen en masse, like the 5.6 million fingerprints stolen from the Office of Personnel Management last year. Even low-tech methods can produce results, like the infamous gummy bear hack for fingerprint scanners. There is also a very real threat of fraudsters going after individuals in person, to garner physical biometrics for nefarious activities – such fears are steering away risk-adverse companies.
However, there are much less invasive biometrics that can be used for forward thinking organizations, ones that are more secure and more consumer friendly: using non-identifying behavioral biometrics.
Think about how you use your smart phone to interact with a website or application. Do you realize that you have a unique way of holding your mobile device that’s different from other people, even if only slightly? Does your phone tilt a little to the left? Do you normally hold your phone in portrait or landscape mode? Do you use your index fingers or your thumbs to type? How hard do you press on the screen when you hit each key?
For the full story at Payments Source. You can read it here.