Do you know who your customers are? Not their demographics, but each customer as they enter your online portal and provide their name, address and credit card number. Or, what about the customer who requests the right to be forgotten and have personal information deleted from your system?

Identity verification is required in many, if not most, online transactions. But, it is also very difficult to do accurately. If any other person has access to the required information — including those security questions needing your mother’s maiden name and other easy-to-find responses — the identity of your customer can be easily misrepresented. And, your organization may be none the wiser until it is too late. There are identity verification services available that prove the identity given belongs to a real person, and that person wants you to have their identity. 

Identity verification is good, but it isn’t the same as authentication. Your organization has to be absolutely sure you know your customer, especially if you hand over personally identifiable information (PII) or protected health information (PHI). One of the best ways to authenticate and verify identity online is through biometrics.

Types of Biometrics

Most people have used biometrics, mostly through fingerprint or facial recognition, to access a smartphone or tablet. That’s considered an active biometric, where the user is doing something actively to confirm the biometric authentication. It’s just one type of biometrics available. Passive biometrics don’t require the user to touch anything or even take active part in the process, but can tell if the verified user is the real user. Behavioral biometrics measure how the user behaves and interacts with devices, such as the rhythm of their typing on a keyboard or how they hold a phone. 

All three types of biometrics offer online authentication, but passive and behavioral may be the most secure methods. 

Active Biometrics

Every picture tells a story, and in the case of active biometrics, it may provide an accurate portrayal of who your customer is. 

Active biometrics will verify the user to give them access to certain areas into a website that contains personal information.
There are some apps, for example, that use biometrics as a second factor of authentication. The app stores automatically enter the username and password. A fingerprint, iris or facial recognition scan allows the user full access. 

Webcams allow for similar biometric authentication for websites. The user may be asked to submit a scanned photo ID, such as a passport or driver’s license, in advance. When it comes time to access and verify, the user submits a real-time photo via webcam or calls in on a video chat, and the system compares this to the photo ID on record. 

In theory, active biometrics should be foolproof because biometric data belongs only to one person. However, threat actors have come up with ways to spoof or steal biometrics, so this type of authentication is not always reliable. Active biometrics shouldn’t be used for the most sensitive cases unless there is no other option.

Passive and Behavioral Biometrics

Passive and behavioral biometrics go hand-in-hand, but each verifies something different.

AI and machine learning are the heart of behavioral biometrics. It’s all about finding patterns. Just like someone has unique handwriting, they also have unique typing sequences. AI can tell someone who tends to type with one finger over someone who touch types, but it can also recognize how hard the user presses on the keys or how long a typical pause is before touching the next key or writing the next word. It can also measure mouse movements. Does a user prefer their right or left hand? Do they click fast or slow? Do they rest their hand on the mouse when they aren’t typing?

In addition, behavioral biometrics can measure user habits. If a specific company wanted to verify a customer, it could create a record of when that customer often visited the corporate website, for how long, and the products they browse most often. Behavioral biometrics are what clues credit card companies in when someone breaks into an account. 

Passive biometrics uses behavioral attributes, but it goes a step further. It can be used to spot the difference between the real user and fraudulent behaviors, whether another human or a machine is performing those behaviors. 

Behavioral and passive biometrics have their flaws. They might show false positives, because humans may change their behavior. A person with a broken arm will change pattern behavior out of necessity, and while it is the same authenticated user, the machine doesn’t know that and may deny verification

Why Organizations Need Biometric Authentication

Threat actors continue to become more refined with their attacks and the ability to spoof IDs. Identity theft is on the rise and more bad actors are looking for PII, PHI and valued data. And now that data privacy laws give consumers more control over their information, organizations are forced to make changes to protect data from compromise and to ensure individual users can access and make decisions around their own information. Usernames and passwords simply don’t cut it for good authentication anymore, and not everyone has access to authentication factors like tokens. 

Using biometrics, especially behavioral and passive, improve a company’s ability to spot, verify and authenticate each user (and if you can, add in active biometrics for particularly sensitive data and transactions). Organizations no longer have the luxury to simply verify identity. They need to authenticate and know exactly who their customers are.

More from Identity & Access

CISA, NSA Issue New IAM Best Practice Guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…

4 min read

The Importance of Accessible and Inclusive Cybersecurity

4 min read - As the digital world continues to dominate our personal and work lives, it’s no surprise that cybersecurity has become critical for individuals and organizations. But society is racing toward “digital by default”, which can be a hardship for individuals unable to access digital services. People depend on these digital services for essential online services, including financial, housing, welfare, healthcare and educational services. Inclusive security ensures that such services are as widely accessible as possible and provides digital protections to users…

4 min read

What’s Going On With LastPass, and is it Safe to Use?

4 min read - When it comes to password managers, LastPass has been one of the most prominent players in the market. Since 2008, the company has focused on providing secure and convenient solutions to consumers and businesses. Or so it seemed. LastPass has been in the news recently for all the wrong reasons, with multiple reports of data breaches resulting from failed security measures. To make matters worse, many have viewed LastPass's response to these incidents as less than adequate. The company seemed…

4 min read

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

8 min read - View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

8 min read