behavior biometrics

Deciding on Biometrics? Considerations for Organizations

Customer friction and dynamic data are key in choosing between biometric solutions

Adopting biometric authentication: Considerations for organizations

It’s no surprise to those in the security industry that the quest for securing digital transactions is increasingly complex. Cybercriminals are employing sophisticated techniques to impersonate real customers, going so far as using automation that looks like human behavior. Biometrics is a global buzzword and are either being implemented or considered by a wide variety of organizations to help authenticate customers for online activity. However, the difference between physical and behavioral biometrics is not well understood and each method has its unique characteristics to consider.

Passive, behavioral biometrics – dynamically generated

Passive biometrics help organizations verify their customers’ identity using their natural behaviors while interacting online. The continuous non-intrusive authentication solution is invisible, requiring no pre-enrollment, and the user is not required to perform any additional actions during the process other than what they are naturally offering as they go about their journey. Behavioral data from these interactions is analyzed in real-time to provide confidence assessments of user risk that help companies thwart would-be intruders and attacks. No personally identifying information (PII) is stored, and the data is never available in a form that would be useful to a hacker. Passive biometrics is a significant advance in the evolution of identity verification that can add new depth and security to the organization’s authentication framework by substantially reducing their risk during the entire account lifecycle.

Physical biometrics – static data at rest

Physical biometrics add to the authentication process by providing additional valuable data about the customer that we can use to help understand who they are. These biometrics are unique to the individual and can offer, particularly when used in conjunction with other data points such as device and geolocation, offer a powerful set of identity information.

passive vs active biometrics

Physical biometrics check for things that you have while passive biometrics verify things you do.

The challenge is that in amassing physical biometric data such as fingerprints, retinal patterns, facial recognition, etc. the data must be stored. Biometric data is often a scanned image or a recording that is in a consumable form while at rest – ready to be accessed by the authenticating software. Storing static physical biometric data poses a risk for companies that must guard physical biometric information against breaches and intrusions. Multiple data breach news over the last three years has shown that most information security barriers can and will be overcome if a hacker is determined enough. Once stolen data is available on the Dark Web, it’s likely to be permanently compromised, producing a lifetime of risk for the customer who is unable to alter this data (unlike username and password data). For example, the risk is certainly real for 21 million federal employees. These US Office of Personnel Management (OPM) workers had their personal biometric data stolen from the OPM database, including the fingerprints of five million employees – many of whom had secret clearance levels and were high-value individuals.

Physical biometrics can present other concerns that aren’t raised by passive behavioral biometrics. For one thing, it’s not always appropriate (or particularly dignified) to conduct selfie authentication in professional and public situations. Secondly, physical biometrics can create significant friction for customers, especially during the enrollment phase where customers are often required to perform a several actions on the device to register it for the biometric authentication program. Thirdly, biometrics are at risk for spoofing and mimicry. It’s relatively easy to steal a fingerprint online using HD photography, inkjet printers and even wood glue. This handy wikihow can even walk you through the process. Liveness testing such as heat, movement, and blink detection augmentations will help biometric technologies reduce their vulnerability in the long term, however, most of the additional improvements are still in development and will be some time before they come to market.

With organizations turning to identity verification to support increasingly complex risk-laden modes of non-face-to-face transactions, the choices of multifactor authentication methods are ever-more important. Making the right decision means taking into consideration both the friction consumers will experience when interacting with the authentication test (that users interpret as your band experience), and the risk tolerance profile for your organization.

Want to read more posts like this? See our full blog here.