Is Behavioral Biometrics the Answer for Digital Identity Crisis?

essidsolutions

Biometrics are paving the way for an identity-centric culture, but these solutions also tend to collect more Personally identifiable information (PII) — fingerprints, voice, or facial scans than enterprises can and should hold.  Though the use of biometrics is gaining traction to fight fraud, it also adds to the risk of collecting sensitive data, sparking widespread privacy and ethical concerns, writes Incognia’s CEO André Ferraz. In this post, Ferraz outlines the difference between physical and behavioral biometric and why the latter, more dynamic and unique to each user, provides a means for continuous and secure authentication. 

Biometrics is most recently being promoted as “the answer” to digital identification and authentication for fraud prevention. Given the loopholes in password-only approach, the idea of using a fingerprint, or selfie, or voice to authenticate does have its appeal. However, despite enthusiasm for these new biometric forms of identification and authentication, there are some sobering issues emerging relating to security, privacy, and bias, which are forcing the industry to more precisely identify the types of applications suited to biometrics. 

Biometrics refers to the physical characteristics unique to each person. Perhaps the most widely known form of biometrics is fingerprints. While traditionally fingerprints were captured on ink pads, today digital systems can capture and match fingerprints online. On mobile devices and laptops, fingerprint readers are now a common biometric login feature. Similarly, facial and voice recognition systems can now digitally capture and match people’s faces and voices. 

These biometric systems are being used for a variety of purposes, most notably identification and authentication for fraud prevention. However, with increasingly powerful AI, these types of systems are starting to touch on important issues related to security, privacy and bias.

Learn More: 5 Key Differences Between Consumer and Enterprise-Grade Biometric Authentication

The Problem with Static Biometrics

The biggest security issue with biometric systems used for identification and authentication is when they rely on static biometric information. This is the type of system often shown in spy movies when an iris or fingerprint is needed to access a vault, and typically the spy has access to a stolen or copied fingerprint or iris of an authorized user. And here lies the problem with static biometric information, once someone has access to this information they have the ability to impersonate that user and access the user’s account. Biometrics once stolen are useless as an authentication method, and unfortunately, each person only has one set of biometrics.

To counteract this weakness, there are new techniques being developed and deployed to make biometric information more dynamic and harder to fake. One example of this is liveness detection for facial recognition in which movement is added to the data to make it more challenging for someone to mimic another user’s biometric data to access an account. However, at the same time, we see deep fake technology created to emulate or recreate videos with other people’s faces. 

With facial biometrics that can be easily faked, their use for identification and authentication opens the door for possible abuse for discrimination on race, gender and age.  Not only can facial recognition be used to confirm if it is you logging in, but it also could be used to classify “you” based on race, gender, and/or age, and create a short-cut for determining classifications that are illegal in many circumstances.

Learn More: 8 Windows 10 Cybersecurity Gaps That Hackers Can Exploit

Behavioral Biometrics for Continuous User Authentication

The world of biometric identification, particularly facial recognition, has recently been marred by controversy regarding privacy rights and bias issues related to AI Opens a new window models. This has led to notable announcements from companies like IBM and Microsoft that they will limit the scope of their biometric research and applications. In particular with facial recognition, there is a growing concern in the industry that there is no practical way to reach a bias-free facial recognition system and the realization that identification technologies should be abstracted from personally identifiable information that could form the basis for bias.

Are people going to be imprisoned based on a facial recognition system and what that face recognition system is saying?  What if it’s wrong? What if it’s biased? The reality is that facial recognition can never be bias-free. The use of AI-based facial recognition is fraught with the opportunity for bias. In order for facial recognition to be bias-free, it would require a training data set that is perfectly created, which represents in a perfect way the distribution of the population and that it is possible to use all of the different combinations possible to train the system. The problem is that it is impossible to verify if you have the perfect data set. 

As the issues with biometric systems are becoming more evident, there is growing interest in the use of behavioral biometrics to counteract some of the identified weaknesses. Behavioral biometrics are also unique to each user but represent unique behavior characteristics versus physical characteristics. One of the key differentiators is that behavioral biometrics are dynamic and based on behavior history, which means that the behavior patterns are constantly changing and therefore, extremely difficult to predict, mimic or forge. This creates a moving target for fraudsters. Unlike static biometrics such as fingerprints that can be stolen then used to access a user’s accounts, a stolen behavioral biometric becomes outdated after a short period of time as new behavior is added to the unique signature.

Learn More: Do Biometrics Protect Your Data or Put Your Identity at Risk?

Future of Identity is Behavioral 

There are many types of behavioral biometrics currently in use for detecting anomalies on web applications, including characteristics such as typing speed and patterns, and mouse movements. With the move to mobile, the location has emerged as the strongest behavioral biometric signal for users. Given that most users carry their mobile devices with them at all times, in a pocket, in a purse, and when not moving, they place their mobile device next to them when they work, eat and sleep, a mobile user’s movements create a unique location fingerprint. The mobile device and each user’s unique location fingerprint becomes a private token for identification and authentication. 

As we move into the era of ubiquitous computing where we are surrounded by digital devices, we will increasingly need a private, frictionless method for identification and authentication. Using our behavior to uniquely identify and authenticate ourselves offers a future where we can effortlessly interact with devices without doing anything other than being ourselves.

Let us know if you liked this article or tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA