September 3, 2015 -
This is a guest post by Ryan Wilk, director of customer success at NuData Security
Biometrics is the next step in security across all disciplines, but there’s a clear line between biometric methods used to secure physical spaces and persons, and biometric methods that can used for online security.
Fingerprint and iris scanners work well in office buildings, government complexes, and large airports because they are hard-wired, monitored and nearly impossible to spoof. These are common checkpoints people have to pass through physically to be granted entrance. The “customers” in this case, come to us.
But when the interaction takes place in a digital environment, when a person attempts to access a website and we have to determine if they are a legitimate user, we in essence are coming to them – and they have hundreds of possible digital configurations to contend with. The only technology you can be sure of is that they have a screen, a keyboard (real or virtual) and an Internet connection.
How can we get the rock-solid assurance of a biometric check keeping in mind that the very way the user accesses a website will be nearly unique to each user? On top of feasibility, we have to do our best to make sure whatever measures we decide to use doesn’t increase customer friction – something guaranteed to make users bail on your website and service entirely.
So what have we come up with?
The biggest contender right now is Two-Factor Authentication (or 2FA). While not biometric, 2FA requires that two separate pieces are needed to be authenticated, be it a physical object, having secret info, or a physical characteristic of the legitimate user. In a sense, using your bankcard at an ATM is 2FA – requiring both the card (object) and your PIN (secret info). In online security, this normally means tying an account login to another device, like your cell phone, but many customers balk at two-factor used this way, either not having a cell phone to use or not willing to share that information with a third party.
Some companies still reach for the same surety of face-to-face verification, MasterCard among them. This past July, they started testing a new way to verify identity; one that they hope wouldn’t be too much friction and may instead draw younger users — selfies. It’s still in the pilot project stage, being tested with 500 cardholders, but these companies say that a selfie can be used for authentication, both accurate and fun. Yet the selfie runs into some of the same issues that 2FA has. Not everyone has a cell phone and not everyone wants to take a picture to be authorized. There are legitimate privacy concerns, as well.
Fingerprint scanners are small and accurate enough to be built into mobile devices these days, and have been built into high-end computers and phones for the last few years. But once again we run into the same issues with accessibility to the technology – it’s far from universal – and worse, it can be fooled with relatively low-tech techniques. These mobile scanners are still in their infancy, and can’t be a sole solution now.
All of these solutions still cause customer friction – either by asking for more information on the part of the user or requiring extra steps or extra technology. The gains in security do not make up for the customer friction they cause. How then can we leverage biometric data to greater effect?
Instead of a binary, physical check – for an item, an image or a fingerprint – we need a biometric tool that studies an aspect of the user that can’t be stolen, spoofed or hacked: behavior. Measuring user behavior when they are on your website, whether that’s how fast they type, how often they mistype an error, or even how they navigate through your site. These passive measurements are device agnostic, cannot be replicated, and remain anonymous but with user behavior analytics you have an effect solution available right now. Best of all, there is nothing else extra the user has to do – behavioral analytics is completely friction free.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.