Myth Busting on Biometric Authentication

Biometric authentication is seeing rapid growth as the technology protects consumers with real time security, but without compromising their user experience.

In the financial sector, where the majority of interactions are high value, biometrics such as fingerprints and facial recognition have become essential as a means of preventing fraud. Juniper Research expects that biometrics will be used for more than 18 billion transactions by 2021, representing an annual growth rate of 84% compared to 2016.

With the COVID-19 pandemic accelerating digital banking adoption due to global lockdown restrictions, biometric authentication is set to take center stage as a means of securing customers and verifying identity.

However, misconceptions around the security of these technologies, as well as how they can be integrated into existing processes, could present a barrier to overall adoption by both banks and consumers alike. Here, we’ll debunk five of the most common myths and demonstrate the reality of how biometrics can keep us more secure.

Myth: Facial and fingerprint recognition are easily fooled by a static fingerprint or photo

Reality: Today’s sophisticated biometric authentication systems include both active and passive liveness detection capabilities that can identify whether the presented biometric trait is from a live human, or a digital or manufactured representation, such as a photo or 3D-printed model.

Active liveness detection requires a user to blink or turn their head, whereas passive liveness detection runs behind the scenes to detect signs that what’s being presented isn’t from a live person, such as cutouts in a 3D-printed mask, paper or digital screens.

Because active liveness detection methods are more visible, they can be easier for an attacker to study and circumvent. Passive liveness detection, however, is faster and less intrusive and includes more advanced techniques for identifying spoof attacks -- making it the better choice in most modern deployments.

Myth: Biometric authentication provides a lower level of trust than login credentials

Reality: Biometric authentication with liveness detection and anti-spoofing technology offers additional trust because the fingerprint, face, or other biometric is presented live and connected to the in-the-flesh individual.

Furthermore, unlike credential-based methods such as passwords, PINs and personally identifiable information (PII) which can be leaked, stolen and sold on the dark web, biometrics cannot easily be shared, providing a greater level of trust.

Regarding remote/cloud access use cases, Gartner projects increasing adoption of third-party face, voice and other modes in these use cases, especially in support of access from mobile devices, as third-party methods offer higher trust and accountability than device-native methods.

Myth: Biometric authentication is an invasion of privacy

Reality: The type of facial comparison and recognition technologies used for remote/mobile authentication are opt-in use cases, where a consumer willingly enrolls in the system to allow easy account login or add an additional layer of security. This is very different from facial recognition technologies reported in the news, where the technology has been used in public spaces without people giving consent to being monitored.

More importantly, one-to-one facial recognition does not store raw photos for purposes of identification but rather creates a mathematical representation of the face. That representation is kept on file for comparison when the user logs in. That representation is typically encrypted and essentially useless to an attacker.

Myth: Biometrics aren’t practical over the long run because technologies like facial recognition or fingerprint scans won’t work as a person ages and their features change

Reality: Biometric markers like a person’s iris remains pretty stable over time, while a person’s face or voice may change slightly over time. With that said, the timespan over which significant changes to a person’s biometric markers will happen makes it a non-issue for most user authentication applications. Some biometric authentication solutions are dynamic and regularly update the consumer’s stored biometric template to map changes as they happen. Often, users can also register a second fingerprint in case the first fails. A layered approach to security with multiple authentication factors is always the best approach.

Myth: Biometrics are only applicable if the user is already known

Reality: Whereas biometric authentication uses an individual’s unique characteristics to confirm their identity, there are also other uses for biometrics that can help businesses strengthen security and fight fraud, such as behavioral biometrics. Behavioral biometrics analyze the user’s actions, measuring the way a user interacts with their device to continuously verify their identity. This can include measuring the user’s data input, capturing movement within a site or app, as well as their interaction with the device, such as finger pressure, swipe patterns and keystroke dynamics.

Behind the scenes, behavioral biometrics analyze the consumer’s interactions with the device in comparison to a previously developed user profile or “behavioral fingerprint.” In the case of an unknown user, like when someone applies for a new bank account, behavioral biometrics can compare the consumer’s behavior to what is typical for a wider population. In this way, behavioral biometrics can be used to evaluate the probability that a new applicant is performing the actions of a legitimate user.

The greater the similarity score, the less the organization has to worry about the user’s identity or intent. The lesser the similarity between a consumer’s behavior in comparison to similar populations justifies additional layers of risk and fraud detection.  

What’s Hot on Infosecurity Magazine?