And not just fingerprints, but all sorts of biometric identifiers, everything from voice recognition, to iris prints, “selfie” based facial recognition and more.
Unfortunately, while it’s true that no two biological fingerprints are alike, that doesn’t mean they can’t be replicated. In fact, it turns out that all it takes is a fingerprint copied using a regular old inkjet printer to fool your average smartphone. Not very smart at all, actually!
You can’t blame organizations for seeking out new supplements and replacements to the standard old password or PIN number, but let’s be clear – physical biometrics are no silver bullet.
The unfortunate reality of these types of biometric factors is that they only really work in a physical environment. And when you consider how much of our daily transactions – be it purchases, banking, etc – are now taking place online, just how secure are physical biometrics?
Compromised biometric data can be used in a number of ways to access accounts without the user being present. Using the infamous gummy bear attack against a newly released product with embedded fingerprint scanning, for example, was a variation on a well-known physical hack for in-person fingerprint scanners dating back to 2002.
There is a danger in the trend to include a physical biometric in multi-factor authentication – the real potential for criminals to shift their focus to obtain the biometric identifier, with violence. For this reason alone, many companies are steering well clear of using physical biometrics.
Fortunately, not all types of biometrics used to authenticate online interactions are the same. A much less invasive, and more consumer-friendly, technique leverages signals generated by the way in which a human interacts with the world around them. When taken in aggregate, such behavioral signals are highly effective at identifying repeat good users, are self-enrolling and are tolerant of changes in the patterns presented as a user’s behavior naturally changes over their lifetime.
An illustration is in order here. Think about how you use your smart phone to interact with a website or application. Do you realize that you have a unique way of holding your mobile device that’s different from other people, if only slightly? Does your phone tilt a little to the left? Do you normally hold your phone in portrait or landscape mode? Do you use your index fingers or thumbs to type? How hard do you press on the screen when you hit each key?
Aggregating hundreds of these human and interaction signals creates a unique signature for each authentic user. This method is called behavioral biometrics. Using these subtle signals and unique signatures, organizations can easily identify when the account owner is not the one attempting to authenticate, even if the correct login and password is used in conjunction with the authentic account holder’s computer or mobile device.
Contrary to the physical biometric factors mentioned above, behavioral signals that make up a behavioral biometric profile cannot be stolen, duplicated or reused – so they have no value to criminals. In the event that a high-fidelity copy of an authentic user interaction was to be made, the mere attempt to replay the past interaction would in itself be an anomaly that is out of pattern for any human user.
In addition, this kind of data collection is frictionless for the user; they do not have to enter, enroll in or provide any additional information to a website or application to benefit from its protection. They simply keep doing what they are used to doing: interacting with the sites and services as they always have. A true seamless experience.
There’s no question that more secure authentication methods are needed today. Physical biometrics seem like a good idea – until you realize that they can be digitally stolen and re-used fraudulently, leaving the owner of that biometric with no recourse. Fortunately, behavioral biometrics has emerged as a reliable alternative for online user authentication. Data collection is non-invasive and the data cannot be faked, creating an authentication process that reduces risk for both the company and the user.