January 7, 2021 By Sue Poremba 3 min read

Do you know who your customers are? Not their demographics, but each customer as they enter your online portal and provide their name, address and credit card number. Or, what about the customer who requests the right to be forgotten and have personal information deleted from your system?

Identity verification is required in many, if not most, online transactions. But, it is also very difficult to do accurately. If any other person has access to the required information — including those security questions needing your mother’s maiden name and other easy-to-find responses — the identity of your customer can be easily misrepresented. And, your organization may be none the wiser until it is too late. There are identity verification services available that prove the identity given belongs to a real person, and that person wants you to have their identity. 

Identity verification is good, but it isn’t the same as authentication. Your organization has to be absolutely sure you know your customer, especially if you hand over personally identifiable information (PII) or protected health information (PHI). One of the best ways to authenticate and verify identity online is through biometrics.

Types of Biometrics

Most people have used biometrics, mostly through fingerprint or facial recognition, to access a smartphone or tablet. That’s considered an active biometric, where the user is doing something actively to confirm the biometric authentication. It’s just one type of biometrics available. Passive biometrics don’t require the user to touch anything or even take active part in the process, but can tell if the verified user is the real user. Behavioral biometrics measure how the user behaves and interacts with devices, such as the rhythm of their typing on a keyboard or how they hold a phone. 

All three types of biometrics offer online authentication, but passive and behavioral may be the most secure methods. 

Active Biometrics

Every picture tells a story, and in the case of active biometrics, it may provide an accurate portrayal of who your customer is. 

Active biometrics will verify the user to give them access to certain areas into a website that contains personal information.
There are some apps, for example, that use biometrics as a second factor of authentication. The app stores automatically enter the username and password. A fingerprint, iris or facial recognition scan allows the user full access. 

Webcams allow for similar biometric authentication for websites. The user may be asked to submit a scanned photo ID, such as a passport or driver’s license, in advance. When it comes time to access and verify, the user submits a real-time photo via webcam or calls in on a video chat, and the system compares this to the photo ID on record. 

In theory, active biometrics should be foolproof because biometric data belongs only to one person. However, threat actors have come up with ways to spoof or steal biometrics, so this type of authentication is not always reliable. Active biometrics shouldn’t be used for the most sensitive cases unless there is no other option.

Passive and Behavioral Biometrics

Passive and behavioral biometrics go hand-in-hand, but each verifies something different.

AI and machine learning are the heart of behavioral biometrics. It’s all about finding patterns. Just like someone has unique handwriting, they also have unique typing sequences. AI can tell someone who tends to type with one finger over someone who touch types, but it can also recognize how hard the user presses on the keys or how long a typical pause is before touching the next key or writing the next word. It can also measure mouse movements. Does a user prefer their right or left hand? Do they click fast or slow? Do they rest their hand on the mouse when they aren’t typing?

In addition, behavioral biometrics can measure user habits. If a specific company wanted to verify a customer, it could create a record of when that customer often visited the corporate website, for how long, and the products they browse most often. Behavioral biometrics are what clues credit card companies in when someone breaks into an account. 

Passive biometrics uses behavioral attributes, but it goes a step further. It can be used to spot the difference between the real user and fraudulent behaviors, whether another human or a machine is performing those behaviors. 

Behavioral and passive biometrics have their flaws. They might show false positives, because humans may change their behavior. A person with a broken arm will change pattern behavior out of necessity, and while it is the same authenticated user, the machine doesn’t know that and may deny verification

Why Organizations Need Biometric Authentication

Threat actors continue to become more refined with their attacks and the ability to spoof IDs. Identity theft is on the rise and more bad actors are looking for PII, PHI and valued data. And now that data privacy laws give consumers more control over their information, organizations are forced to make changes to protect data from compromise and to ensure individual users can access and make decisions around their own information. Usernames and passwords simply don’t cut it for good authentication anymore, and not everyone has access to authentication factors like tokens. 

Using biometrics, especially behavioral and passive, improve a company’s ability to spot, verify and authenticate each user (and if you can, add in active biometrics for particularly sensitive data and transactions). Organizations no longer have the luxury to simply verify identity. They need to authenticate and know exactly who their customers are.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today