What’s the difference between biometric authentication and identity verification?
This is a guest post by Aman Khanna, VP of Products at ThumbSignIn.
By this point, anyone who’s ever used their fingerprint or FaceID to unlock their phone or log into their bank account is familiar with biometric authentication. It takes biological traits, like a fingerprint, facial features, iris scan or others, and uses it to establish a user’s identity by comparing it to identity markers in a previously stored template.
However, there is a misconception that biometric authentication automatically translates into identifying exactly who the user is. In reality, there’s a lot more to identity verification than just being able to match a set of biometrics. One of the biggest issues is the ability to correlate those metrics to a source of real-world identity that has been established and verified by an authority, like the government. That’s where identification verification comes in. While biometric authentication might indicate that a person trying to authenticate has the same biometric markers as the person already in the system, identity verification can help conclusively prove that the person is who they say they are out in the real world.
How does identification verification work?
Traditionally the most common way identity verification has been done is by manually comparing a valid real-world identity document such as a passport or a driver’s license with the physically present person. With the maturation of technologies like face recognition, it has become possible to reliably automate such processes. One example of identification verification is a biometric selfie. A biometric selfie would require a user to take a selfie while holding their government-issued driver’s license along with a picture of the license itself. When both images are uploaded, the system would then use facial-recognition software to recognize that the photo of the person in the selfie is the same as the photo of the person in the ID, thus establishing the person’s official, government-recognized identity.
When is identification verification necessary?
An everyday use case scenario for identification verification is when a consumer opens a new bank account or joins a company as a new employee. Another would be a specific financial transaction, like transferring money from one account to another or sending money overseas through wire transfers. Many times, financial institutions expect users to prove their identity through a valid government-issued ID to comply with anti-money laundering (AML) requirements. Account recovery is another common scenario for identity verification. If a hacker has gained access to a user’s bank account and locked them out of it, valid identity verification could help them regain access.
Another situation where identification verification isn’t currently utilized, but which could have a lot of potential for use, is on social media. Today, anyone can go on Facebook, create an account with a random picture, and start connecting with other people under a fictitious name, possibly committing various fraudulent acts. If social networks instead required a valid government-issued ID to create an account, it could eliminate a lot of fake accounts, thus significantly reducing the number of bot and phishing attacks.
The standardization of ID verification
Thanks to the FIDO Alliance, the standardization of biometric authentication has been pretty firmly established, with biometric capabilities now being built into every major browser, including Firefox, Edge, Chrome, and Safari. The same sort of standardization has yet to be established for identity proofing. However, the FIDO Alliance is actively working to define those standards with a new initiative and working group. These standards will hopefully take effect over the next few years across a wide variety of use cases in various industries.
There’s more in store: digital credentialing
Identity verification is only one of the exciting possibilities that new emerging technologies can enable. Apart from this, a lot more work is being done in the adjacent field of digital credentialing which has the potential to fundamentally transform the way we conduct many important transactions in our daily lives. Cryptographic credentialing allows an agency to grant a set of digital credentials to a user and let a different agency verify those credentials digitally. For example, let’s say a parent needs to register their child into the public school system, which typically requires proof of address along with proof of identity issued by the DMV or a bank. With standardization, these separate entities could seamlessly communicate with one another, allowing the school to gain identity verification from the DMV electronically. Similarly, an employer looking to hire a new employee could possibly verify the education credentials issued by a university to that individual. Such credentials are reliable, tamper-proof, efficient and enable a seamless user experience for all parties. Needless to say that such technologies can have a huge impact on all aspects of our lives. The key of course if for these to be standardized and agreed upon by all parties to be of real value
Biometric authentication vs. verification: which one to use?
An organization needs to consider several factors when deciding whether identity verification is right for them. For example, a bank might require that any time a customer is completing a financial transaction or a foreign exchange transaction, they provide a biometric selfie for identity proofing.
At the same time, security must be weighed against the user experience, because it’s not very convenient to pull out an ID and take a selfie every time a banking transaction is performed. A more likely scenario is that once onboarding has occurred via identity verification, then a user will be allowed to fall back on regular biometric authentication for further transactions within the system. Each organization has to take a balanced approach, weighing the sensitivity of the transaction being performed against the need for a frictionless user experience.
Together, biometric authentication and identity verification can help create a more secure world in an increasingly electronic age.
About the author
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of Biometric Update.