By Amir Nooriala, CCO at Callsign
Apart from the long-term impact on our society, the COVID-19 pandemic will leave many other legacies. One of those is the question of how we authentically verify online identities.
When we moved online, authentication processes from the physical world were digitized rather than re-designed for the digital world. The processes businesses digitized lack security, are cumbersome and don’t preserve privacy. And the rise in online fraud, scams, social engineering and synthetic identities over the last year has shown us just how broken the process is – our digital identities are clearly broken.
Solving this issue is the key to fast and sustained economic recovery across the globe. But how do we start?
We’ve recently seen various governments, regulators and private sector organizations seek to enhance online customer authentication through legislation like the digital identity bill, regulation and more robust technology and processes.
Often these measures leverage different forms of biometric technology to assist with the difficult task of reliable identity verification, and while physical biometrics can certainly improve the process, it’s hardly a quick fix.
Businesses, governments and consumers need to be cautious when adopting the technology for many reasons:
- Computer says no
Physical biometrics – facial recognition or fingerprints – works by asking a closed question: Is this the user’s face? Is this the user’s fingerprint? Yes or no. And while a user can move their finger around when reading on a phone, it can be difficult and time consuming to get facial readers to work. If biometrics is the only method of authentication and the computer doesn’t recognize you, what happens next?
- Technology bias
Authentication solutions need to work for everyone, and the use of biometric technology can exclude pockets of the population and perpetuate inequality through racial or religious bias and technology elitism.
- Security limitations
There are security limitations around facial biometrics that use simple photos and one type of biometrics on its own to authenticate people. Knowing this limitation, fraudsters will falsely claim their biometrics methods are broken just to circumvent the authentication process.
- Appropriate or inappropriate friction
While most businesses aim to offer consumers a friction free process, there are some cases where friction is needed. Depending on when biometrics is used, it can add unnecessary friction to the consumer journey. In certain situations, like opening a new bank account, consumers understand that they will need to verify their identity, so using biometrics here is an appropriate authentication method. However, if a facial ID is required each time, you buy something from an online retailer, you’ll likely take your business to another vendor where it is easier and faster to make a purchase.
Technology usually becomes ubiquitous when consumers understand how and why it’s used. For example, a Facial ID is used on many modern smartphones to access apps and services on the phone. The concept of biometrics as a unique identifier is well understood by consumers, but perhaps not well enough. Biometrics as a form of authentication is intrusive, as it often ends up invading people’s privacy. Biometrics uses Personally Identifiable Information (PII), so permission is required to collect, store and process this in many countries. As a result, most people will choose not to authenticate themselves with this form of identification because they will want to know how their data is being used. This challenge is potentially the biggest barrier to a large-scale adoption of biometrics as authentication methods.
So, with these issues in mind, what tools can we rely on to seamlessly authenticate people online? The answer lies with behavioral biometrics.
Behavioral biometrics (such as how someone holds and swipes on their phone, types in their password, or moves a mouse on computer) provides privacy preserving, frictionless, accessible, and inclusive methods to authenticate users in robust and failsafe ways.
So, what exactly differentiates behavioral biometrics and why is it vastly superior to physical biometrics? What makes them ideal for governments, regulators and businesses desperately trying to balance security and user experience?
- Technology equity
Unlike physical biometrics, behavioral biometrics works across multiple devices and machines. Users only need a basic smartphone, keyboard or a mouse, so the cost of highly specialized technology is not a barrier for adoption. Behavioral biometrics profiles are also device agnostic. This is useful if a consumer loses their phone and needs to re-register for online services. Even though it’s a new device, a consumer can download all their apps and get going straight away because their behavior remains exactly the same. Whereas with physical biometrics, the user will need to re-enroll for the biometrics service by repeating the registration process, so taking facial biometrics at different angles of the users face.
- Contextual data
Behavioral biometrics considers millions of contextual data points to verify if the user is genuine. So, while a user and their device might be in an unusual location – on vacation for example – how they swipe on their phone can be used to accurately identify who they are. Layering intelligence from multiple sources means there isn’t a single point of failure in the authentication process when using behavioral biometrics. As an added bonus, while behavioral biometrics looks for characteristics of genuine users, it can also recognize typical fraudster behaviors encountered previously – perhaps simultaneous login attempts on multiple devices.
Suddenly, you’ve now got fraud behavioral patterns, for example it’s unusual for genuine consumers to copy and paste their email address or password in an authentication process.
- Friction free
Behavioral biometrics is passive, which means it doesn’t add friction to the user journey. Data such as typing speed and pressure when inputting a username and password are analyzed in real time during an online journey, which means no extra steps are required as with physical biometrics. This makes behavioral biometrics useful at any point in the consumer’s journey, whether at the time of login or downstream when they are making purchases or payments.
Therefore, rather than a customer having to complete a step-up authentication with friction, the user would be passively authenticated by simply using the service ‘as is’ today… removing the need for unnecessary friction.
- Robust security
While it is possible for a fraudster to steal physical biometrics for their own use, it is much harder for bad actors to replicate and mimic genuine user behaviors. The way an individual interacts with their devices online is unique, and if the behavior doesn’t match the consumer’s usual patterns (for example typing with one finger) additional authentication methods can be introduced.
- Prevent the privacy tsunami
By its very nature, behavioral biometrics can be a privacy preserving, non-intrusive way to authenticate users. Using the contextual data points of a consumer’s behavior, the data can be obfuscated thus allowing the identity of the user to be authenticated without knowing or accessing any PII data, thus preventing the privacy tsunami that is clearly just beginning.
When considering the points above, it’s easy to see why behavioral biometrics are a better authentication method than their physical counterparts to fix digital identity. The technology itself is easy for consumers, businesses and governments to use, but more importantly, once consumers understand that behavioral biometrics doesn’t use or store their personal data, we’ll see far less adoption hesitancy.