The difference between physical and behavioural biometrics, and which you should be using

The debate around digital identity has never been more important. The COVID-19 pandemic pushed us almost entirely online, with many businesses pivoting to become e-tailers almost overnight. Our reliance on online services – whether ordering a new bank card, getting your groceries delivered, or talking to friends – has given bad actors the perfect hunting ground.

With the advent of the internet, the world moved online. However, authentication processes from the physical world were digitised rather than re-designed for the digital world. The processes businesses digitised lack security, are cumbersome and don’t preserve privacy. For example, the password: it is now 60 years old, yet still relied on today to protect our identities and data.

Digitised processes have enabled the rise in online fraud, scams, social engineering, and synthetic identities. Our own research highlighted how a quarter of consumers globally receive more scam text messages than they get from friends and families, with over half (54%) of UK consumers stating that they trust organisations less after receiving a scam message. Clearly, digital identity is broken, and the pandemic has now pushed the issue into the spotlight.

Physical biometrics

In order to solve this, various governments, regulators and private sector organisations seek to enhance online customer authentication through legislation like the digital identity bill, regulation and more robust technology and processes. Often these measures leverage different forms of physical biometric technology to assist with reliable identity verification. Physical biometrics are based on physical characteristics of an individual, including their fingerprint, face and eyes. But while physical biometrics can certainly improve the process, it’s not a quick fix. Businesses, governments and consumers must be cautious when adopting this technology for many reasons:

  1. Single point of failure: Physical biometrics works by asking a closed question: is this the user’s face? Is this the user’s fingerprint? Yes or no. And while a user can move their finger around when reading on a phone, it can be difficult and time consuming to get facial readers to work. If biometrics is the only method of authentication and the computer doesn’t recognise you, what happens next?
  2. Technology bias: Authentication solutions need to work for everyone, and the use of biometric technology can exclude pockets of the population and perpetuate inequality through racial or religious bias and technology elitism.
  3. Security limitations: There are security limitations around facial biometrics that use simple photos and one type of biometrics on its own to authenticate people. Knowing this limitation, fraudsters will falsely claim their biometrics methods are broken just to circumvent the authentication process.
  4. Appropriate or inappropriate friction: While most businesses aim to offer consumers a friction free process, there are some cases where friction is needed. Depending on when biometrics is used, it can add unnecessary friction to the consumer journey. In certain situations, like opening a new bank account, consumers understand that they will need to verify their identity, so using biometrics here is an appropriate authentication method. However, if a facial ID is required each time you buy something from an online retailer, you’ll likely take your business to another vendor where it is easier and faster to make a purchase.
  5. Privacy: Technology usually becomes ubiquitous when consumers understand how and why it’s used. For example, a facial ID is used on many modern smartphones to access apps and services on the phone. The concept of biometrics as a unique identifier is well understood by consumers, but perhaps not well enough. Biometrics as a form of authentication is intrusive, as it often ends up invading people’s privacy. Biometrics uses Personally Identifiable Information (PII), so permission is required to collect, store and process this in many countries. As a result, most people will choose not to authenticate themselves with this form of identification because they will want to know how their data is being used. This challenge is potentially the biggest barrier to a large-scale adoption of biometrics as authentication methods.

What are the best ways to ensure user privacy?

This article will explore the best ways in which organisations can go about ensuring the privacy of their users. Read here

Behavioural biometrics

Businesses and governments must look to behavioural biometrics to seamlessly authenticate people online. Behavioural biometrics uses the behavioural factors of an individual to authenticate them. This includes how someone interacts with and swipes on their phone, patterns in how they type in their password, or how they move a mouse on computer. It provides privacy preserving, frictionless, accessible, and inclusive methods to authenticate users in robust and failsafe ways. This technology has been designed for the digital world, accounting for how users behave and interact online rather than simply digitising analogue processes, and as such has advantages over physical biometrics. Here are a few other reasons why businesses should look at behavioral biometrics:

  1. Technology equity: Unlike physical biometrics, behavioural biometrics works across multiple devices and machines. Users only need a basic smartphone, keyboard or a mouse, so the cost of highly specialised technology is not a barrier for adoption. Behavioural biometrics profiles are also device agnostic. This is useful if a consumer loses their phone and needs to re-register for online services. Even though it’s a new device, a consumer can download all their apps and get going straight away because their behaviour remains the same. Whereas with physical biometrics, the user will need to re-enroll for the biometrics service by repeating the registration process, so taking facial biometrics at different angles of the user’s face.
  2. Contextual data: Behavioural biometrics considers millions of contextual data points to verify if the user is genuine. So, while a user and their device might be in an unusual location – on vacation for example – how they swipe on their phone can be used to accurately identify who they are. Layering intelligence from multiple sources means there isn’t a single point of failure in the authentication process when using behavioural biometrics. While behavioural biometrics looks for characteristics of genuine users, it can also recognise typical fraudster behaviours encountered previously – perhaps simultaneous login attempts on multiple devices. Suddenly, you’ve now got fraud behavioural patterns; for example, it’s unusual for genuine consumers to copy and paste their email address or password in an authentication process.
  3. Friction free: Behavioural biometrics is passive, which means it doesn’t add friction to the user journey. Data such as typing speed and pressure when inputting a username and password are analysed in real time during an online journey, which means no extra steps are required as with physical biometrics. This makes behavioural biometrics useful at any point in the consumer’s journey, whether at the time of login or downstream when they are making purchases or payments. Therefore, rather than a customer having to complete a step-up authentication with friction, the user would be passively authenticated by simply using the service ‘as is’ today, removing the need for unnecessary friction.
  4. Robust security: While it is possible for a fraudster to steal physical biometrics for their own use, it is much harder for bad actors to replicate and mimic genuine user behaviours. The way an individual interacts with their devices online is unique, and if the behaviour doesn’t match the consumer’s usual patterns (for example typing with one finger), additional authentication methods can be introduced.
  5. Prevent the privacy tsunami: By its very nature, behavioural biometrics can be a privacy preserving, non-intrusive way to authenticate users. Using the contextual data points of a consumer’s behaviour, the data can be obfuscated thus allowing the identity of the user to be authenticated without knowing or accessing any PII data, thus preventing the privacy tsunami that is clearly just beginning.

It’s clear to see why behavioural biometrics are a better authentication method than their physical counterparts to fix digital identity. Not only is the technology easy for consumers to use, but it allows businesses and governments to balance the user experience with privacy and security. Once consumers understand that behavioural biometrics doesn’t use or store their personal data, we’ll see far less adoption hesitancy.

Written by Amir Nooriala, chief commercial officer at Callsign

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at stubbenedge.com