Forced to find effective ways to authenticate customers, companies are evaluating physical biometrics for web passwords. But in the mad rush for alternatives to fight account takeover, could we be making the problem worse?
Physical biometrics works best when the person being authenticated has physically presented themselves to the authenticating party, but these same biometrics quickly lose effectiveness in an online world.
Why? Because using a single biometric data point to authenticate a user is no different than adding a second, static password. In a way, in certain scenarios, they could be worse: a stolen or leaked password can be reset, your fingerprint cannot.
High-quality reproductions of a fingerprint (a static image) or a recorded heartbeat (a set, basic pattern) can be captured and reused. And can be stolen en masse, like the 5.6 million fingerprints stolen from the Office of Personnel Management last year. Even low-tech methods can produce results, like the infamous gummy bear hack for fingerprint scanners. There is also a very real threat of fraudsters going after individuals in person, to garner physical biometrics for nefarious activities - such fears are steering away risk-adverse companies.
However, there are much less invasive biometrics that can be used for forward thinking organizations, ones that are more secure and more consumer friendly: using non-identifying behavioral biometrics.
Think about how you use your smart phone to interact with a website or application. Do you realize that you have a unique way of holding your mobile device that’s different from other people, even if only slightly? Does your phone tilt a little to the left? Do you normally hold your phone in portrait or landscape mode? Do you use your index fingers or your thumbs to type? How hard do you press on the screen when you hit each key?
When taken in aggregate, such behavioral signals are highly effective at identifying repeat good users and are tolerant of changes as a user’s behavior as it naturally changes over their lifetime. Using these subtle signals and unique signatures, organizations can easily identify when the account owner is not the one attempting to authenticate, even if the correct login and password is used in conjunction with the authentic account holder’s computer or mobile device.
These behavior-based identifying markers, contrary to physical biometrics, cannot be stolen, duplicated or reused – so they have no intrinsic, easily translated into cash value to criminals. This isn’t to say there is no value in the fingerprint or the heartbeat or any other specific biological metric; the danger is using such a signal or identifier as the sole, or alternate secondary authentication method. Adding insult to an already injured consumer, the use of physical attributes to authenticate, forces the user to go out of their way to prove their identity, adding unnecessary friction to a good user experience. How much friction are you willing to force on consumers before they finally rebel, and abandon their action or even worse – you lose them as a customer?
Data collection of behavioral biometrics, however, is completely frictionless. No special effort is required on the part of the user. They do not have to enter, enroll in or provide any additional information to a website or application to benefit from the protection these kinds of complex yet not personally identifiable biometrics offer. Users simply keep doing what they are used to doing: interacting with the sites and services as they always have.
Though physical biometrics have legitimate uses in the real world when authenticating face-to-face, there are legitimate reasons to be cautious about using one biological biometric as a primary or secondary, static online authentication method. Aggregated behavioral biometrics are too complex to steal and replicate and is a completely painless way to ensure account security without placing any extra burden on your good trusted users. This is the future of authentication security, and it’s time to embrace it – your customers will demand it.
Robert Capps is vice president of business development for NuData Security.
