Biometric authentication: five myths busted
This is a guest post by Sam Bakken, Senior Product Marketing Manager at OneSpan.
Biometrics are increasingly being used in mobile banking apps to secure the digital banking process while providing a convenient user experience. The technology is especially useful in the current COVID-19 era, as there has been a tremendous shift to mobile and online banking due to shelter-in-place orders. Recent surveys show that consumers are increasingly comfortable using biometric authentication to secure their digital banking transactions, with 65 percent of Americans saying they are willing to provide biometric information to their bank. Although consumers are embracing biometrics for digital banking, there are still some misconceptions about the technology, which can easily be dispelled.
Here are five common myths related to biometrics, and the truth that financial institutions and consumers alike should know:
Myth: Facial and fingerprint recognition are easily fooled by a static fingerprint or photo
Reality: Today’s sophisticated biometric authentication systems include liveness detection capabilities to fight presentation attacks, or “spoofs” which could include 3D-printed models, masks, images, or video. Liveness detection can be active – requiring a user to blink or turn their head; or passive – running behind the scenes using algorithms to analyze biometric samples for signs that it is not from a live person, such as detecting paper, digital screens or cutouts in a 3-D printed mask.
Active liveness detection methods are more visible and easier for an attacker to study and circumvent, whereas passive liveness detection is faster, less intrusive and includes more advanced techniques for determining live presence. For sensitive use cases such as mobile banking, a third-party solution that combines multiple anti-spoof and liveness detection methods is an ideal fit.
Myth: Biometric authentication provides a lower level of trust than login credentials
Reality: Biometric authentication can provide a higher level of trust than credential-based methods because biometrics cannot easily be shared. In contrast, traditional authenticators such as passwords, PINs and consumers’ personally identifiable information (PII) are sharable and have also been leaked or stolen in high profile data breaches and made available for sale on the dark web. Moreover, biometric authentication with active and passive liveness detection and anti-spoofing technology offers additional trust because the fingerprint, face, or other biometric is presented live and connected to the in-the-flesh individual.
Myth: Biometric authentication is an invasion of privacy
Reality: Facial comparison and recognition technologies used in mobile applications are opt-in use cases, where a consumer willingly enrolls in the system to allow easy account login or add an additional layer of security. This is different from facial recognition technologies often reported in the news, where the technology has been used in public spaces, and people have not given consent to being monitored.
More importantly, one-to-one facial recognition does not store raw photos for purposes of identification but rather creates a mathematical representation of the face. That representation, which is kept on file for comparison when the user logs in, is typically encrypted and essentially useless to an attacker.
Biometric authentication does not rely on the secrecy of biometric traits but instead on the difficulty of impersonating the living person. What’s most important is effective spoof detection, which can be lacking in many device-native biometric systems.
Myth: Biometrics aren’t practical over the long run because technologies like facial recognition or fingerprint scans won’t work as a person ages and their features change
Reality: Biometric markers like a person’s iris remains pretty stable over time, while a person’s face or voice may change slightly over time. The timespan over which significant changes to a person’s biometric markers will occur makes it a non-issue for most user authentication applications, as most consumers are authenticating more regularly and small changes in their features will be noted and updated with the application over time.
Some biometric authentication solutions are dynamic and regularly update the consumer’s stored fingerprint template so that they are mapping any changes as they happen. Often, users can also register a second fingerprint in case the first fails. A layered approach to security with multiple authentication factors is always the best approach.
Myth: Biometrics are only applicable if the user is already known
Reality: Behavioral biometrics, which analyze the way a person interacts with the mobile device, can be used to strengthen security and fight fraud even when the user is not yet known to the organization. In the case of an unknown user, like when someone applies for a new bank account, behavioral biometrics can compare the consumer’s behavior to what is typical for a wider population. In this way, behavioral biometrics can be used to evaluate the probability that a new applicant is performing the actions of a legitimate user. The greater the similarity score, the less the organization has to worry about the user’s identity or intent. The lesser the similarity between a consumer’s behavior in comparison to similar populations justifies additional layers of risk and fraud detection.
Biometrics are a cornerstone technology enabling the future of digital banking, but they can be daunting to those unfamiliar with them. By dispelling the myths and misconceptions of biometrics, organizations such as financial institutions can help their customers feel more comfortable utilizing this technology to securely and conveniently conduct important transactions in digital channels in the COVID-19 era and beyond.
About the author
Sam Bakken is Senior Product Marketing Manager at OneSpan where he is responsible for the OneSpan mobile app security portfolio. Sam has nearly 10 years of experience in information security.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.
authentication | banking | behavioral biometrics | biometric data | biometric liveness detection | biometrics | digital identity | facial recognition | fingerprint biometrics | passive authentication | passive facial liveness | privacy | spoof detection