Do you know who your customers are? Not their demographics, but each customer as they enter your online portal and provide their name, address and credit card number. Or, what about the customer who requests the right to be forgotten and have personal information deleted from your system?

Identity verification is required in many, if not most, online transactions. But, it is also very difficult to do accurately. If any other person has access to the required information — including those security questions needing your mother’s maiden name and other easy-to-find responses — the identity of your customer can be easily misrepresented. And, your organization may be none the wiser until it is too late. There are identity verification services available that prove the identity given belongs to a real person, and that person wants you to have their identity. 

Identity verification is good, but it isn’t the same as authentication. Your organization has to be absolutely sure you know your customer, especially if you hand over personally identifiable information (PII) or protected health information (PHI). One of the best ways to authenticate and verify identity online is through biometrics.

Types of Biometrics

Most people have used biometrics, mostly through fingerprint or facial recognition, to access a smartphone or tablet. That’s considered an active biometric, where the user is doing something actively to confirm the biometric authentication. It’s just one type of biometrics available. Passive biometrics don’t require the user to touch anything or even take active part in the process, but can tell if the verified user is the real user. Behavioral biometrics measure how the user behaves and interacts with devices, such as the rhythm of their typing on a keyboard or how they hold a phone. 

All three types of biometrics offer online authentication, but passive and behavioral may be the most secure methods. 

Active Biometrics

Every picture tells a story, and in the case of active biometrics, it may provide an accurate portrayal of who your customer is. 

Active biometrics will verify the user to give them access to certain areas into a website that contains personal information.
There are some apps, for example, that use biometrics as a second factor of authentication. The app stores automatically enter the username and password. A fingerprint, iris or facial recognition scan allows the user full access. 

Webcams allow for similar biometric authentication for websites. The user may be asked to submit a scanned photo ID, such as a passport or driver’s license, in advance. When it comes time to access and verify, the user submits a real-time photo via webcam or calls in on a video chat, and the system compares this to the photo ID on record. 

In theory, active biometrics should be foolproof because biometric data belongs only to one person. However, threat actors have come up with ways to spoof or steal biometrics, so this type of authentication is not always reliable. Active biometrics shouldn’t be used for the most sensitive cases unless there is no other option.

Passive and Behavioral Biometrics

Passive and behavioral biometrics go hand-in-hand, but each verifies something different.

AI and machine learning are the heart of behavioral biometrics. It’s all about finding patterns. Just like someone has unique handwriting, they also have unique typing sequences. AI can tell someone who tends to type with one finger over someone who touch types, but it can also recognize how hard the user presses on the keys or how long a typical pause is before touching the next key or writing the next word. It can also measure mouse movements. Does a user prefer their right or left hand? Do they click fast or slow? Do they rest their hand on the mouse when they aren’t typing?

In addition, behavioral biometrics can measure user habits. If a specific company wanted to verify a customer, it could create a record of when that customer often visited the corporate website, for how long, and the products they browse most often. Behavioral biometrics are what clues credit card companies in when someone breaks into an account. 

Passive biometrics uses behavioral attributes, but it goes a step further. It can be used to spot the difference between the real user and fraudulent behaviors, whether another human or a machine is performing those behaviors. 

Behavioral and passive biometrics have their flaws. They might show false positives, because humans may change their behavior. A person with a broken arm will change pattern behavior out of necessity, and while it is the same authenticated user, the machine doesn’t know that and may deny verification

Why Organizations Need Biometric Authentication

Threat actors continue to become more refined with their attacks and the ability to spoof IDs. Identity theft is on the rise and more bad actors are looking for PII, PHI and valued data. And now that data privacy laws give consumers more control over their information, organizations are forced to make changes to protect data from compromise and to ensure individual users can access and make decisions around their own information. Usernames and passwords simply don’t cut it for good authentication anymore, and not everyone has access to authentication factors like tokens. 

Using biometrics, especially behavioral and passive, improve a company’s ability to spot, verify and authenticate each user (and if you can, add in active biometrics for particularly sensitive data and transactions). Organizations no longer have the luxury to simply verify identity. They need to authenticate and know exactly who their customers are.

More from Identity & Access

How to Keep Your Secrets Safe: A Password Primer

There are two kinds of companies in the world: those that have been breached by criminals, and those that have been breached and don't know it yet. Criminals are relentless. Today’s cyberattacks have evolved into high-level espionage perpetrated by robust criminal organizations or nation-states. In the era of software as a service (SaaS), enterprise data is more likely to be stored on the cloud rather than on prem. Using sophisticated cloud scanning software, criminals can breach an enterprise system within…

Making the Leap: The Risks and Benefits of Passwordless Authentication

The password isn't going anywhere. Passwordless authentication is gaining momentum, though. It appears to be winning the battle of how companies are choosing to log in. Like it or not, the security industry must contend with both in the future.  But for some businesses and agencies, going passwordless is the clear strategy. Microsoft, for instance, has recently stopped forcing users to use a password to access their account, which allows access to a wide range of Microsoft business and personal…

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations. Shedding light on…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…