Human Biometrics in Online Authentication: Risks and Options

by Robert Capps 0

The password isn’t dead – it just can’t be the sole means of online user authentication anymore as a deluge of breached data has let lose millions of login credentials to the black market. Those stolen credentials have spawned a huge wave of account takeovers. To stop rising fraud rates, merchants and financial institutions have for the most part deployed unwieldy and consumer-Rounfriendly security techniques that fail to catch all the fraud that is occurring and wrongly flagging good users. Companies have to move on from static, reusable data when authenticating. But how?

The search for meaningful alternatives has sparked increased interest in the use of physical biometrics for authentication. Unfortunately, the term biometrics has become an industry buzzword that encompasses a number of second-factor solutions that include everything from facial recognition, to fingerprints, iris scans, and voice – even the human heartbeat.

But what works face-to-face doesn’t always work online. When faced with an in-person security challenge, the person in question can readily and effortlessly comply. A person doesn’t keep a fingerprint on file that they then provide to a machine; the person lets the machine read their fingerprint at the security threshold. Adding a physical biometric for the online user means it’s more than just the user and a website – we need a third piece of technology to authenticate.

Before we even get into how to companies cross that technological gap, we need to carefully consider the ramifications of using physical biometric technology to authenticate users in an online environment. An individual’s physical biometric characteristics are unique identifiers that cannot be changed. This makes them seem like the perfect authentication tool, but there are privacy and identity concerns if a high-quality reproduction of a biometric element were to be obtained by a malicious actor. Just this past September, 5.6 million fingerprints were stolen from the office of Personnel Management.

Physical biometrics are unique, but are no better than adding a second, static password – one that can never be changed if compromised. Worse, as high-value transactions increasingly move to multi-factor authentication using some form of physical biometric, criminals could shift their focus to obtaining that biometric identifier by violent means. For this reason alone, many companies are steering clear of using physical biometrics.

However, there are other, non-physical biometrics that don’t pose the same risks when used to authenticate online interactions. A much less invasive, and more consumer-friendly, technique measures how a person interacts with the digital world.

Consider the way that you use your smart phone to interact with a website or application, for example. Do you realize that you have a unique way of holding your mobile device that’s different from other people, if only slightly? Does your phone tilt a little to the left? Do you normally hold your phone in portrait or landscape mode? Do you use your index fingers or thumbs to type? How hard do you press on the screen when you hit each key?

These behavioral biometrics are unique to each person. Using these subtle signals and unique signatures, organizations can easily identify when the account owner is not the one attempting to authenticate, protecting accounts during account takeovers and even when that fraud attempt is made on the user’s own computer or mobile device. When taken in aggregate, these signals are highly effective at identifying repeat good users and are tolerant of changes in how user behavior naturally changes over their lifetime.

While physical biometrics can be stolen, duplicated or reused, the signals that make up a behavioral biometric profile cannot, meaning they have no value to criminals. Gathering this type of data adds no friction to the user experience. Consumers do not have to do anything different in order to be verified and protected. They simply keep doing what they are used to doing: interacting with the sites and services as they always have. Over time a rich, nuanced and yet still anonymized profile develops that cannot be spoofed.

Making it harder for good users to go about their business is the wrong direction for authentication. It’s not about looking for a better password; the password is as good as it’s going to get. If real security is the goal, we need to understand the real user – not a snapshot of one point in time and not one right answer given on demand but the person that’s behind the device every day.

About RobertAs NuData Security’s Vice President of Business Development, Robert is responsible for developing and nurturing Strategic Alliances, Partnerships and Channels.
In his previous role at RedSeal as a senior director, Robert was responsible for technical, security and customer operations. He acted as a public speaker and regular subject matter expert on information security, cybercrime and intrusion/data breach response.

Prior to RedSeal, Robert was senior manager, global trust and safety at StubHub, where he cracked down on rising fraud, led the design and implementation of automated transaction risk modeling, and built a global cybercrime investigation and threat intelligence team that has successfully prosecuted cybercriminals.