January 7, 2021 By Sue Poremba 3 min read

Do you know who your customers are? Not their demographics, but each customer as they enter your online portal and provide their name, address and credit card number. Or, what about the customer who requests the right to be forgotten and have personal information deleted from your system?

Identity verification is required in many, if not most, online transactions. But, it is also very difficult to do accurately. If any other person has access to the required information — including those security questions needing your mother’s maiden name and other easy-to-find responses — the identity of your customer can be easily misrepresented. And, your organization may be none the wiser until it is too late. There are identity verification services available that prove the identity given belongs to a real person, and that person wants you to have their identity. 

Identity verification is good, but it isn’t the same as authentication. Your organization has to be absolutely sure you know your customer, especially if you hand over personally identifiable information (PII) or protected health information (PHI). One of the best ways to authenticate and verify identity online is through biometrics.

Types of Biometrics

Most people have used biometrics, mostly through fingerprint or facial recognition, to access a smartphone or tablet. That’s considered an active biometric, where the user is doing something actively to confirm the biometric authentication. It’s just one type of biometrics available. Passive biometrics don’t require the user to touch anything or even take active part in the process, but can tell if the verified user is the real user. Behavioral biometrics measure how the user behaves and interacts with devices, such as the rhythm of their typing on a keyboard or how they hold a phone. 

All three types of biometrics offer online authentication, but passive and behavioral may be the most secure methods. 

Active Biometrics

Every picture tells a story, and in the case of active biometrics, it may provide an accurate portrayal of who your customer is. 

Active biometrics will verify the user to give them access to certain areas into a website that contains personal information.
There are some apps, for example, that use biometrics as a second factor of authentication. The app stores automatically enter the username and password. A fingerprint, iris or facial recognition scan allows the user full access. 

Webcams allow for similar biometric authentication for websites. The user may be asked to submit a scanned photo ID, such as a passport or driver’s license, in advance. When it comes time to access and verify, the user submits a real-time photo via webcam or calls in on a video chat, and the system compares this to the photo ID on record. 

In theory, active biometrics should be foolproof because biometric data belongs only to one person. However, threat actors have come up with ways to spoof or steal biometrics, so this type of authentication is not always reliable. Active biometrics shouldn’t be used for the most sensitive cases unless there is no other option.

Passive and Behavioral Biometrics

Passive and behavioral biometrics go hand-in-hand, but each verifies something different.

AI and machine learning are the heart of behavioral biometrics. It’s all about finding patterns. Just like someone has unique handwriting, they also have unique typing sequences. AI can tell someone who tends to type with one finger over someone who touch types, but it can also recognize how hard the user presses on the keys or how long a typical pause is before touching the next key or writing the next word. It can also measure mouse movements. Does a user prefer their right or left hand? Do they click fast or slow? Do they rest their hand on the mouse when they aren’t typing?

In addition, behavioral biometrics can measure user habits. If a specific company wanted to verify a customer, it could create a record of when that customer often visited the corporate website, for how long, and the products they browse most often. Behavioral biometrics are what clues credit card companies in when someone breaks into an account. 

Passive biometrics uses behavioral attributes, but it goes a step further. It can be used to spot the difference between the real user and fraudulent behaviors, whether another human or a machine is performing those behaviors. 

Behavioral and passive biometrics have their flaws. They might show false positives, because humans may change their behavior. A person with a broken arm will change pattern behavior out of necessity, and while it is the same authenticated user, the machine doesn’t know that and may deny verification

Why Organizations Need Biometric Authentication

Threat actors continue to become more refined with their attacks and the ability to spoof IDs. Identity theft is on the rise and more bad actors are looking for PII, PHI and valued data. And now that data privacy laws give consumers more control over their information, organizations are forced to make changes to protect data from compromise and to ensure individual users can access and make decisions around their own information. Usernames and passwords simply don’t cut it for good authentication anymore, and not everyone has access to authentication factors like tokens. 

Using biometrics, especially behavioral and passive, improve a company’s ability to spot, verify and authenticate each user (and if you can, add in active biometrics for particularly sensitive data and transactions). Organizations no longer have the luxury to simply verify identity. They need to authenticate and know exactly who their customers are.

More from Identity & Access

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today