A GUIDE TO LEVERAGING YOURSELF, TO PROTECT YOURSELF USING A BIOMETRIC ID
Even before the commercial internet came into being, software users were authenticating to their applications. Early on, it wasn’t even necessarily for security so much as to claim role-based functionality. Software packages weren’t remote; they were run inside the walls of the companies that used them (unless you made use of 1200 baud modems to dial in), so safeguarding digital assets was just as much a physical concern as digital. Usernames and passwords became not only the norm for the next several decades, but the feeble standard for security.
The obvious weaknesses here have been responsible for an unthinkable number of breaches, exposing the personal information of literally hundreds of millions of individuals. A password is only a string of characters that can be stolen, guessed, passed along, captured, or compromised in any number of ways. It’s a thing you know that can be known by others. PINs are hardly any better.
The IT world has expanded the definition of that combo of name and password, but across large stretches of the digital world, even those variations are subject to the same weaknesses. One time passwords (OTP) can be intercepted. Forgotten password recovery schemes are perfect vectors for bad actors who invoke them in order to gain control of others’ accounts. If they can’t steal or guess a password, they can reset it by claiming to be a user who has forgotten it.
Security questions require users to pre-register their answers to a pre-cooked bank of queries. Favorite book, favorite type of music, the month you met your significant other, etc. This runs into two problems. First, all too often, people’s answers can be discerned by bad guys through social media and phishing. Second, smarter users provide answers that don’t match the questions (eg. what’s your favorite color? Buick). But these types of users often forget their own answers, which in fact is a very common problem.
Knowledge-based authentication (KBA) takes this a step further, with portals prompting users to answer questions that are pulled from data brokers, who ask users things like the amount of their first mortgage, or the make of their first car, data points which can be found on the dark web. Sometimes these questions are based on information that is so old, users find themselves scrambling to find the answers to things they’ve long forgotten. It’s not uncommon for criminals to have better access to these answers than the users they’re about. These issues make KBA not only terribly unfriendly to users, but also less than secure.
Phishing allows criminals to trick users into giving up their own personal information, including passwords. Smishing has moved this kind of attack to SMS. Social engineering also still plays a big role.
Weak passwords are responsible for a large portion of breaches. Strong password policies certainly help, in that they can protect users from their own laziness, preventing them from reusing old passwords, or implementing simple-minded strings of numbers or letters, utilizing their own birthdates or even their names.
Don’t forget about personal devices. They serve two purposes. First, they allow the user to gather and submit credentials. Nothing new there. But they can also be an integral part of those credentials. The device itself can possess a signature that becomes part of what is presented to the authenticator. The device can bear a token that is passed along as part of the authentication process. Authenticator apps commonly reside on devices, especially smartphones.
The weakness here is twofold: first, devices can be (and often are) compromised, making them almost traitorous to those who use them. Second, if the credentials are bound to a particular device that is subsequently lost or stolen, or must be upgraded, then the user loses access until such time as it is replaced and then appropriately provisioned, costing days of productivity.
And in the meantime, criminals may use a compromised or stolen device to gain illicit access. It’s important to remember that a device-bound authentication plan only validates that an individual physically possesses a device, not that they are necessarily are the legitimate owner of that device.
So what is the answer to preventing stolen passwords, social engineering, phishing, and other common attacks? Biometric authentication. There are many faces (no pun intended) to this topic, many types, but it can be boiled down to a simple concept: using a biological aspect of oneself to assert identity.
WHAT IS BIOMETRIC AUTHENTICATION?
Biometric authentication is the science of utilizing one’s physical self for the purpose of achieving digital access. But first, let’s talk about the definition of biometric.
The term “metric” already implies the measurement or assessment of something. “Bio” is of course in this context bodily. Therefore the definition of biometric is the assessment of something physical about you. Put together “biometric authentication” and you have the process of allowing you into a digital environment via the assessment of your physicality. Typical biometric factors are facial, fingerprint, and voice. As we will discuss, some are more viable than others, in the light of evolving (and sometimes sinister) uses of technology.
In biometric identification, the user presents one or more biometric factors to the authentication process, is recognized, and subsequently allowed into the portal, web site, or application of note. Some kind of device must receive and validate the biometric, recognize the individual, and provide that access.
A user may present a fingerprint to an appropriate device, which compares the print to one previously put on record. The same with voice or face. Different algorithms approach these biometrics in their own unique fashion. In some cases, the biometric is sufficient to provide proof of being. In some workflows, the user first specifies their identity by way of a username, then supplies the biometric to validate.
Biometric authentication goes two steps beyond the traditional “what you know” credentials (eg. password, and one step beyond “what you have” credentials (eg. smartphone or physical token). It asserts you as a physical person.
WHAT IS BIOMETRIC VERIFICATION?
But before you can gain access through biometric authentication, you must be verified, or identified. This means establishing a digital identity that includes one or more biometric factors. I don’t just let you in; I let you in once I have previously recognized you and decided you are worthy of biometric authentication. Therefore I first perform biometric verification, or biometric identification. This is the process of verifying who you are at the outset, before I know you at all. Biometric verification is the process of validating your identity, in part by assessing your physicality in conjunction with other identifying information, in addition to making that biometric information part of your profile for leveraging it later.
In other words, if I verify you using a biometric factor now, I will incorporate that factor into your identity for using it later for authentication. You perform biometric verification now, and create a biometric id, so you can authenticate later, as biometric authentication is the gateway to conducting transactions.
This type of verification is far friendlier and more secure than the aforementioned KBA.
In a typical biometric verification flow, the user presents PII (personally identifiable information) such as name, address, date of birth, etc. This information must be vetted on its own, to see if it all matches up with a single entity. The biometric identification aspect then comes into play, where the user presents one of those factors such as face or voice, which is then synched with the PII. The real capper to this process is the ability to match the biometric with the PII.
An excellent way to do this match is to present the PII by way of a physical id, such as a license or passport. The PII can be scanned from the id, which also presents an image of the bearer. The user takes a selfie of their own face, essentially a biometric scan, and submits that to the process. If the selfie can be matched to the image on the physical id, then the physical id is validated.
Now it can get a little more interesting. If the accepted biometric factor is facial, then that factor has already been captured. However, if the biometric factor to be used for subsequent authentication is voice or fingerprint, then that factor must also be submitted at this time. The difference there is that neither voice nor fingerprint can be linked to the physical id. Regardless of the actual form of that factor, it is now linked to the PII, which results in a truly closed-loop biometric verification.
So to review:
- The user takes pictures (front and back, when applicable) of their physical id document
- The user takes a selfie
- the physical id document is validated as legitimate (not tampered with, properly issued by the authority it purports to be from)
- the data on it is validated
- the selfie matches the image on the id
- if voice or fingerprint are required, that factor is now submitted as well
- a full service biometric identification is complete
- your biometric id is established
- you are ready to authenticate
WHO USES BIOMETRIC AUTHENTICATION?
There are virtually no vertical industries that do not employ some version or other of authentication. Everyone requires a password. Even free services, in order to prevent overload of bot accounts, require authentication. But far more stringent biometric identification is a must for a number of industries who need to lock down corporate assets and/or protect the digital assets of their consumers, and are therefore the organizations who are most likely to buy biometric authentication software.
- Consumer banking is the backbone of trust in the American financial system. Banking customers need to know their cash is safe. If a customer’s account is hacked and their money is drained, the onus is usually on them to prove this so they can be made whole. Otherwise they are literally out of luck. Insisting on strong authentication, such as with biometric login, helps them be part of the biometric security solution instead of its weakest link. Checking balances, transferring money (even between their own checking and savings), or requesting a loan – these transactions should all be locked down with biometrics.
- Commercial / business banking entails fewer transactions but with larger dollar amounts per transaction. The executors of such transactions are common targets of identity theft because of those dollar amounts.
- Financial services companies in the US already have the (necessary) burden of the Patriot Act in identifying customers right up front. But any subsequent transactions should also be locked down. These institutions are often just fronts for sponsor banks, with billions in assets and millions of customers, so they’re just as much on the hook for safeguarding their customers’ access.
- Call centers have often been conduits for bad guys taking over accounts by impersonating legit users over the phone. In 2023, call centers were fooled into giving privileged access to criminals who then used that access to pull of very lucrative and damaging ransomware attacks on multiple casino operations. By requiring biometric authentication, call centers can “trust but verify” when trying to hep someone who may or may not be a legit privileged user, such as an admin or DBA.
- Anyone picking up a fleet car or showing up to claim a rented house or room should biometrically authenticate, to avoid the provider handing the keys over to a criminal who has no intent to pay or to return property after use.
- Online dating fraud has led to assaults, thefts, and scams affecting many thousands of unfortunate victims. Biometric authentication helps ensure that an individual is who they claim to be.
- Medications, treatments, and even surgeries have been stolen from private, but even moreso public, providers, such as the VA. Doctors sometimes use a marker on a body part before surgery to make sure they’re treating the right limb. Patients may need to use biometrics to show they’re the owner of the correct limb.
- Retail outlets can use biometric login for their consumers, to ensure that a potential shopper is the legt one using an existing charge account. Otherwise, in the end either that consumer, or the store, are bearing the costs of illicitly acquired goods.
- Getting picked up by a rideshare driver? Picking up somebody as a rideshare driver? Biometric authentication. People getting into cars that weren’t what they thought, or being driven by someone who isn’t certified or insured, has resulted in some terrible outcomes. And picking up the wrong person puts the driver in danger.
- Public agencies can be outlets for fraud, and victims of fraud. Services, medications, tax refunds, and a host of other assets have been compromised via identity theft. Requiring biometric identification can save billions in tax dollars and citizen frustration.
- Any operation in which multiple parties make use of a shared device, such as a mobile workforce crew or a central kiosk, can utilize biometric authentication, although this requires a more sophisticated solution by which each person’s unique biometric signal provides them their own unique access, even when someone else makes use of that same device. My face gives me my page, your face gives you your page, even through the same smartphone or kiosk.
- Forgotten password links are a very common attack vector. As a criminal, I can’t be there when you register. But I can pretend to be you having forgotten your password, I click your link, and I use information gleaned through the dark web, data breaches, or social engineering to mimic you. However, biometric identification can validate that the person resetting that password is, in fact, you. But here’s another benefit: the use of biometric login can eliminate the need for passwords altogether. I can know what you know, I can take what you hold in your hand, but I can’t be you (most of the time).
- And workforces are often spammed, phished, smished, or otherwise targeted, enabling thieves to act as an employee, and steal corporate assets. Financial crimes, data theft, intellectual property theft, and other losses have resulted from weak authentication solutions. Biometric authentication can ensure that an employee is who they claim to be, especially in situations requiring privileged (and therefore very perilous) access.
NOW IT’S TIME FOR BIOMETRIC AUTHENTICATION
Think of biometric verification or identification as Day Zero. Nobody knows you yet, so you need to establish yourself. Once that is done, it’s Day One and beyond. You are ready for a biometric login to your portal, page, site, or application of choice.
Once again, passwords rear their ugly heads. They are what you know. Your smartphone is what you have. Someone can know what you know, they can possess what you have. But they can’t be you. They might pretend, but if you’ve completed a proper biometric identification, you have set yourself up for secure (and very friendly) biometric authentication.
Even when a username (and possibly even a password) are engaged, the factor that really locks the whole process down is a biometric id. “You typed in all the right information, you look good, but hang on, I’m still going to run this last check.”
If username and password and KBA and OTP and security questions are “what you know,” and your device is “what you have,” then biometric authentication is “what you are.” In a way, it’s not necessarily even “who” you are, because your biometric factors are boiled down mathematically into a unique hash that can be compared to a previously-registered hash. When was this registered? During your biometric identification or verification.
Once again, device can be a factor, but only for the sake of delivery. It can be used to gather and submit the biometric information. But in a perfect biometric identification scheme, the device is not bound to the scheme, since that brings about the previously described situation in which the loss or theft of a device utterly disrupts the user’s ability to authenticate. It can also allow a bad actor to steal that access in the interim.
A proper, trustworthy, and user-acceptable biometric login solution needs to reach a high bar to stand apart. It’s not sufficient to simply accept a biometric signal and submit it for validation. This process must be performed accurately (to ensure that only the correct user, who has established a biometric id by previously registering, can leverage the biometric), must be performed quickly (so that the user does not think it’s a failure and then abandons the process), and must be performed with a user interface that is easy to invoke and execute. These are the factors to consider when it’s time to buy biometric identity technology.
SO WHERE DOES BIOMETRIC AUTHENTICATION GO WRONG?
While biometric login is certainly a more secure, convenient, and accurate way to authenticate users who have valid biometric ids, execution is still the key to pulling it off. Just like any other technology, it’s efficacy depends on the supplier, and even the modalities or biometric methods employed. Knowing what the pitfalls of biometric technology can be can help organizations find and buy the best biometric software.
Too many biometric software reviews are based either on pay-to-play analysts or superficial examination of vendor whitepapers. So when making your own decisions, what are those critical concerns to pay attention to, in order to acquire the best biometric authentication technology?
To begin with, there are multiple modalities or methods supported in the biometric market. They all have benefits, and possible weaknesses. These are typically voice, fingerprint, and face. Let’s look at these one at a time.
Fingerprint is a solid biometric signal. Yes, someone can hit you on the head, steal your phone, and stick your unconscious thumb on your device to access it. Discounting that, the biggest issue is deprecated support. The Apple iPhone is still the market leader, selling almost five times more units than the next model in 2023, and Apple has been dropping support for fingerprint for multiple reasons. It provides them the ability to deliver a larger screen, and facial recognition is easier for the user to unlock the phone. Removing this technology also simplifies the hardware. Given the ubiquity of the iPhone, relying on an unsupported fingerprint modality as your primary mode for biometric login seems an unsustainable approach.
Voice biometric seems a likely approach. Many millions of users invoke instant help from digital assistants (such as Siri and Alexa) with a simple spoken phrase. But that invocation assumes the device has already been unlocked. And voice can increasingly be injected into the authentication flow. Artificial intelligence, a powerful tool for any number of purposes, is more notable these days for its potential hazards, only one of which is deepfakes. No one is going to deepfake your fingerprint any time soon. Deepfaked faces are a problem, but not so much in authentication schemes (although we’ll talk about that in a moment).
But deepfake voices, generated by AI, are a definite threat. As stated before, automated voice recognition is commonly fooled even by people who don’t sound like the registered user. How many of use have uttered something that sounded enough like “Hey Siri” or “Alexa” to someone else’s device and gotten an answer? AI-based voices are certainly good enough to fool people. Late in 2023, an IT company reported how a hacker breached their systems using smishing, social engineering, and an AI-generated deepfake voice.
The process of putting forth an illicit biometric signal is often called injection. This is where a criminal asserts an improper biometric in the hopes it will pass muster as a valid biometric id. For example, to inject a fake voice into biometric login simply means playing back a recording.
Many biometric solutions store the registered biometric signal on a particular device, meaning that if said device is no longer at hand, the user’s access is immediately impeded. As in, they need to acquire a new device, then have that device provisioned.
Eye scan. We won’t pay much attention to this one here, for a simple reason: it requires very proprietary hardware, not immediately available for consumers, and only applicable in the workforce at physical decision points such as secured doors.
Facial biometric is the preferred method for Apple products, is the most widely supported biometric factor, and of the two most supported factors, it is the one that is the most difficult to inject into an authentication process.
Regardless of the type of biometric modality, any solution is only as good as its weakest link. If a stored biometric is protecting by a password, for example, then hacking that password gives the hacker your biometric identity. Social engineering is often used to bypass any number of security protocols. And if the biometric is stored on a specific device which falls into the wrong hands, the device may be compromised, meaning the access may be compromised.
But imagine a help desk that, rather than simply restoring privileged access to a faceless voice over the phone, instead sends a link that allows the user to re-authenticate, using biometric security, and on any device? The help desk has done its job by helping, but is still requiring a secure submission. “I can help you help yourself, in a way that is still safe for all parties.”
WHO PROVIDES BIOMETRIC AUTHENTICATION?
It’s easy enough to locate biometric software reviews, to discover who provides the tools. You can even get them from the analysts, although as we’re all aware, sometimes analyst reviews look rosy if you write a check. There are any number of vendors providing some version or other of biometric authentication and/or registration. Some provide their products standalone, without the benefit of providing the best biometric identity technology, while others make it part of a larger suite of products. As often happens with larger software companies, even lesser ancillary products such as biometrics or document verification can still be sold within the confines of a bundle, even if they’re inferior to the offerings of other vendors who specialize in that technology.
There are software companies who provide support for all the biometric signals with a “roll your own” philosophy which can lead to a somewhat chaotic implementation, since face, voice, and fingerprint must all be processed in different ways, and in fact cannot be associated with additional signals in the same way either. Each comes with its own rewards and risks. Any organization heavily tied to fingerprint, for example, may very well also be tied to proprietary hardware, given the lack of support for touch id by the largest single smartphone provider on the market.
Where many vendors fall short is in their lack of understanding of the entirety of a biometric authentication flow, and helping users establish a usable biometric id. They bolt biometric technology to an existing authentication scheme, without a fully user-friendly front end. The result is a clunky, non-contiguous experience for the user, and often an abandonment of the process. A natural marriage of the best biometric technology and an authentication platform is less common than one might think.
What are the common missteps in biometric login technology to be avoided (and things to look out for when conducting a trial or proof-of-concept?
- They’re slow. When any online process whatsoever is not immediately responsive, users think that something has gone wrong, they have to keep clicking something, that they have to start over. And far too many biometric schemes are slow. For example, when processing images of a physical id to match up with a selfie, the standard should be, “provide results on the viability of the captured image(s) before the user puts his wallet away.”
- They’re inaccurate. In the public sector, it’s often said that a 70% identification rate is acceptable. And for certain vendors, that is their bellwether. But this is an absurdly inadequate goal. In the public sector realm, inaccurate readings, meaning improper acceptance or false positive rejection means either fraud or an office visit, the worst sort of friction. In the private sector, false accepts certainly mean fraud. In either public or private sectors, inaccuracy turns into very messy audits, and plenty of disputes with consumers.
- The user experiences are bad. The most difficult aspect of a biometric capture, and the single biggest driver of abandonment (i.e the user gets so frustrated that they bail on the process), is a difficult to follow, non-intuitive interface, or user experience. In many cases, the user can’t tell if they’ve properly snagged their voice, their fingerprint, their face. Not only is the capture process difficult, but it’s not always apparent to the user that they’ve adequately performed the necessary actions. And once the capture procedure is finished, there may be a lag between completion and notification that the biometric is acceptable enough to the process that it can be used in later authentication.
- Have you seen these messages? “Your photo is blurry” ; “the id cannot be validated” ; “Please speak that phrase again.”
- All too often, a good user experience (or even a lousy one) is top heavy. A large executable piece of code must be employed. On a smartphone, this typically means downloading a large, unwieldy app. If an app is required just to register, this is a worst case scenario, since it’s a one-time-use, throwaway piece of code. If it’s a day to day authentication, then whenever there’s an update or security patch, a new app must be downloaded. How often do we get notifications saying an updated app needs to b applied?
- The resulting identity from even a successful verification and subsequent authentications is tied to a particular device as the root of trust. Sure, you are using your face to unlock it, but in the end, it’s the device that is the actual authoritative source of truth. If something happens to that device, the access must be recovered, typically after a new device is acquired or issued, and then validated. This can cost hours or days of access.
- Recovery is difficult. When an account expires, is locked out, or is compromised, recovering that account more often than not requires intervention by a help desk.
SO WHERE DOES BIOMETRIC AUTHENTICATION GO RIGHT?
Whether you’re designing a car, making a pizza, painting a picture, or delivering a biometric solution, details matter. Anyone can take pictures of physical ids, capture a selfie, record a voice, or even grab a fingerprint. What matters is how intelligent the process is, how accurate the process is, and how easy it is for the user to make it through that process. If the most accurate biometric authentication solution in the world requires an MIT grad and a half hour, it’s worthless.
What do you look for when reading the biometric authentication reviews? So what should go into the best biometric software? It’s easy to say, but not easy to deliver.
First, you cannot authenticate to a portal until that portal knows who you are. So the first stage is identity verification. This needs to be fast, accurate, and user friendly, to avoid abandonment. The user verifies their identity on Day Zero, meaning before the portal knows who they are. Once verified and registered, authentication is even easier. You only need to verify once (unless the portal authorities expire your identity after a period of time and you need to do it again, eg. after a year). Then you authenticate each time you access that portal. And you want that authentication process to also be fast, accurate, and easy.
As stated before, this process must be a natural marriage of biometric technology and an authentication platform, one that understands both the tech and the human aspects of the authentication transaction.
Most people are not experts at verifying themselves. So the verification process must be a hand-holding exercise. Explain to the user each step in the friendliest possible manner. For example:
- The user either visits the appropriate site and is prompted, or
- The user is given a QR code to use with their phone’s camera, or
- The user receives an SMS with a link they hit with their thumb
There’s the start. Then their brief journey begins. The user then
- Is prompted to take a picture of the front of their physical id
- When appropriate, they are prompted to take a picture of the back of that id
- Then they are prompted to capture a selfie
- Also is appropriate, they are prompted to record their voice (usually with a particular phrase) or provide a fingerprint
The subsequent verification of the pictures and biometrics should be fast and, if there is an issue, error, or an inability to successfully verify that biometric, the user should be immediately prompted to take corrective action, as in capture a picture or biometric again.
Once again, because voice is too easily spoofed with AI, and fingerprint capture is no longer universally supported by common hardware, facial biometrics are the most likely signal to capture going forward. This signal needs to be validated through biometric liveness detection, meaning that the face is recognized as belonging to a live person, is not a picture of a picture, and not a picture of a screen. NIST (the National Institute for Standards and Technology) specifies the best guidance for what is known as Presentation Attack Detection, or PAD. In other words, a proper solution enforces PAD and can detect that a bad actor is attempting to present something other than a live face, a real person, a legitimate individual, as part of a legitimate biometric id.
Once verified, the user is enabled to authenticate. This means that when the user visits a site protected by a biometric identification platform, they simply need to provide that biometric signal, and they’re in. That simple. If it’s facial biometric, the user shows their face to the camera, whether on a desktop, a smartphone, or an iPad. They are recognized, validated against their previously-registered biometric, and granted access.
If there is an additional authentication factor, such as a FIDO passkey, it can be unlocked by that biometric, which is a far more secure approach than using a password. Since the facial biometric is stored in the cloud, it is the key, the very root of trust, which means you are not tied to any one device. A lost, stolen, or upgraded device can instantly be your means to recover lost access.
One more vey powerful addition to this approach in terms of user experience is the use of web-based technology rather than the need to download a native application, which is time-consuming and may require periodic re-downloading.
Fast, accurate, and user-friendly. These are the hallmarks of a great biometric authentication solution.
authID, THE BEST AUTHENTICATION SOFTWARE ON THE MARKET
How did we become the best biometric authentication platform on the market? How did authID rate so high in various biometric technology reviews? We started out by aiding third world countries in holding free and fair elections, where personal technology is not nearly as prevalent as in other parts of the world. We accomplished this by biometrically registering legitimate voters, then authenticating them at polling time to ensure that only those legit voters were the ones casting their ballots. Since then we have rolled out our solutions to financial services companies, workforce management companies, banks, healthcare, and other organizations who wish for only bona fide employees or consumers with legit biometric ids to access their most sensitive digital assets.
Verification on Day Zero, authentication on Day One and beyond. authID does this quickly, accurately, and with the smoothest, most friction-free user experience available. Users need that easy experience, while the host needs it to be right. Very recently a customer won a CSO award for their use of authID’s patented technology for verification and authentication.
authID verifies the validity of physical id documents (driver’s licenses, passports, state-issued id’s, etc.), supporting over 13,000 documents from over 200 countries and territories around the world, while employing dozens of security checks and markers to guarantee that validity. We then verify the user by their selfie, performing biometric liveness detection via NIST PAD Level 2. Ensure we have the right document, ensure we have a real person, then put them together to ensure we have the right individual.
authID’s browser-based interface (meaning no app to download) literally walks users through the capture process with virtual frames and digital guidance. And we process that data in under 700 milliseconds. Nothing friendlier, nothing faster.
Once that facial biometric is registered, you only need your face to authenticate, day after day, on your smartphone, desktop, or pad. If you lose or upgrade your device, that same face is all you need to instantly and seamlessly recover your access.
It’s the greatest level of assurance with the least friction, meaning the best identity authentication option available. To learn more about the fastest, most accurate, and most friendly biometric authentication solution on the market, give us a read. And please reach out to us at AuthID.ai, where our friendly faces will teach you how your own friendly face can be the key to secure access.
See related articles:
Age Verification Systems | Online Age Verification Software
Find the Best Digital Wallet and Wallet Authorization Info
What is a Passkey? Find out from the Experts at authID
Identity Authentication – What is the Best Identity Authentication?