January 7, 2021 By Sue Poremba 3 min read

Do you know who your customers are? Not their demographics, but each customer as they enter your online portal and provide their name, address and credit card number. Or, what about the customer who requests the right to be forgotten and have personal information deleted from your system?

Identity verification is required in many, if not most, online transactions. But, it is also very difficult to do accurately. If any other person has access to the required information — including those security questions needing your mother’s maiden name and other easy-to-find responses — the identity of your customer can be easily misrepresented. And, your organization may be none the wiser until it is too late. There are identity verification services available that prove the identity given belongs to a real person, and that person wants you to have their identity. 

Identity verification is good, but it isn’t the same as authentication. Your organization has to be absolutely sure you know your customer, especially if you hand over personally identifiable information (PII) or protected health information (PHI). One of the best ways to authenticate and verify identity online is through biometrics.

Types of Biometrics

Most people have used biometrics, mostly through fingerprint or facial recognition, to access a smartphone or tablet. That’s considered an active biometric, where the user is doing something actively to confirm the biometric authentication. It’s just one type of biometrics available. Passive biometrics don’t require the user to touch anything or even take active part in the process, but can tell if the verified user is the real user. Behavioral biometrics measure how the user behaves and interacts with devices, such as the rhythm of their typing on a keyboard or how they hold a phone. 

All three types of biometrics offer online authentication, but passive and behavioral may be the most secure methods. 

Active Biometrics

Every picture tells a story, and in the case of active biometrics, it may provide an accurate portrayal of who your customer is. 

Active biometrics will verify the user to give them access to certain areas into a website that contains personal information.
There are some apps, for example, that use biometrics as a second factor of authentication. The app stores automatically enter the username and password. A fingerprint, iris or facial recognition scan allows the user full access. 

Webcams allow for similar biometric authentication for websites. The user may be asked to submit a scanned photo ID, such as a passport or driver’s license, in advance. When it comes time to access and verify, the user submits a real-time photo via webcam or calls in on a video chat, and the system compares this to the photo ID on record. 

In theory, active biometrics should be foolproof because biometric data belongs only to one person. However, threat actors have come up with ways to spoof or steal biometrics, so this type of authentication is not always reliable. Active biometrics shouldn’t be used for the most sensitive cases unless there is no other option.

Passive and Behavioral Biometrics

Passive and behavioral biometrics go hand-in-hand, but each verifies something different.

AI and machine learning are the heart of behavioral biometrics. It’s all about finding patterns. Just like someone has unique handwriting, they also have unique typing sequences. AI can tell someone who tends to type with one finger over someone who touch types, but it can also recognize how hard the user presses on the keys or how long a typical pause is before touching the next key or writing the next word. It can also measure mouse movements. Does a user prefer their right or left hand? Do they click fast or slow? Do they rest their hand on the mouse when they aren’t typing?

In addition, behavioral biometrics can measure user habits. If a specific company wanted to verify a customer, it could create a record of when that customer often visited the corporate website, for how long, and the products they browse most often. Behavioral biometrics are what clues credit card companies in when someone breaks into an account. 

Passive biometrics uses behavioral attributes, but it goes a step further. It can be used to spot the difference between the real user and fraudulent behaviors, whether another human or a machine is performing those behaviors. 

Behavioral and passive biometrics have their flaws. They might show false positives, because humans may change their behavior. A person with a broken arm will change pattern behavior out of necessity, and while it is the same authenticated user, the machine doesn’t know that and may deny verification

Why Organizations Need Biometric Authentication

Threat actors continue to become more refined with their attacks and the ability to spoof IDs. Identity theft is on the rise and more bad actors are looking for PII, PHI and valued data. And now that data privacy laws give consumers more control over their information, organizations are forced to make changes to protect data from compromise and to ensure individual users can access and make decisions around their own information. Usernames and passwords simply don’t cut it for good authentication anymore, and not everyone has access to authentication factors like tokens. 

Using biometrics, especially behavioral and passive, improve a company’s ability to spot, verify and authenticate each user (and if you can, add in active biometrics for particularly sensitive data and transactions). Organizations no longer have the luxury to simply verify identity. They need to authenticate and know exactly who their customers are.

More from Identity & Access

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today