PaymentsJournal
SUBSCRIBE
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
No Result
View All Result

Human Biometrics in Online Authentication: Risks and Options

Robert Capps by Robert Capps
February 23, 2016
in Industry Opinions
0
A B2B Merchant Acquiring Primer: How merchants can benefit by focusing on B2B business - PaymentsJournal
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

The password isn’t dead – it just can’t be the sole means of online user authentication anymore as a deluge of breached data has let lose millions of login credentials to the black market. Those stolen credentials have spawned a huge wave of account takeovers. To stop rising fraud rates, merchants and financial institutions have for the most part deployed unwieldy and consumer-Rounfriendly security techniques that fail to catch all the fraud that is occurring and wrongly flagging good users. Companies have to move on from static, reusable data when authenticating. But how?

The search for meaningful alternatives has sparked increased interest in the use of physical biometrics for authentication. Unfortunately, the term biometrics has become an industry buzzword that encompasses a number of second-factor solutions that include everything from facial recognition, to fingerprints, iris scans, and voice – even the human heartbeat.

But what works face-to-face doesn’t always work online. When faced with an in-person security challenge, the person in question can readily and effortlessly comply. A person doesn’t keep a fingerprint on file that they then provide to a machine; the person lets the machine read their fingerprint at the security threshold. Adding a physical biometric for the online user means it’s more than just the user and a website – we need a third piece of technology to authenticate.

Before we even get into how to companies cross that technological gap, we need to carefully consider the ramifications of using physical biometric technology to authenticate users in an online environment. An individual’s physical biometric characteristics are unique identifiers that cannot be changed. This makes them seem like the perfect authentication tool, but there are privacy and identity concerns if a high-quality reproduction of a biometric element were to be obtained by a malicious actor. Just this past September, 5.6 million fingerprints were stolen from the office of Personnel Management.

Physical biometrics are unique, but are no better than adding a second, static password – one that can never be changed if compromised. Worse, as high-value transactions increasingly move to multi-factor authentication using some form of physical biometric, criminals could shift their focus to obtaining that biometric identifier by violent means. For this reason alone, many companies are steering clear of using physical biometrics.

However, there are other, non-physical biometrics that don’t pose the same risks when used to authenticate online interactions. A much less invasive, and more consumer-friendly, technique measures how a person interacts with the digital world.

Consider the way that you use your smart phone to interact with a website or application, for example. Do you realize that you have a unique way of holding your mobile device that’s different from other people, if only slightly? Does your phone tilt a little to the left? Do you normally hold your phone in portrait or landscape mode? Do you use your index fingers or thumbs to type? How hard do you press on the screen when you hit each key?

These behavioral biometrics are unique to each person. Using these subtle signals and unique signatures, organizations can easily identify when the account owner is not the one attempting to authenticate, protecting accounts during account takeovers and even when that fraud attempt is made on the user’s own computer or mobile device. When taken in aggregate, these signals are highly effective at identifying repeat good users and are tolerant of changes in how user behavior naturally changes over their lifetime.

While physical biometrics can be stolen, duplicated or reused, the signals that make up a behavioral biometric profile cannot, meaning they have no value to criminals. Gathering this type of data adds no friction to the user experience. Consumers do not have to do anything different in order to be verified and protected. They simply keep doing what they are used to doing: interacting with the sites and services as they always have. Over time a rich, nuanced and yet still anonymized profile develops that cannot be spoofed.

Making it harder for good users to go about their business is the wrong direction for authentication. It’s not about looking for a better password; the password is as good as it’s going to get. If real security is the goal, we need to understand the real user – not a snapshot of one point in time and not one right answer given on demand but the person that’s behind the device every day.

About RobertAs NuData Security’s Vice President of Business Development, Robert is responsible for developing and nurturing Strategic Alliances, Partnerships and Channels.
In his previous role at RedSeal as a senior director, Robert was responsible for technical, security and customer operations. He acted as a public speaker and regular subject matter expert on information security, cybercrime and intrusion/data breach response.

Prior to RedSeal, Robert was senior manager, global trust and safety at StubHub, where he cracked down on rising fraud, led the design and implementation of automated transaction risk modeling, and built a global cybercrime investigation and threat intelligence team that has successfully prosecuted cybercriminals.

Tags: BiometricsFraud Risk and Analytics
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

    Analyst Coverage, Payments Data, and News Delivered Daily

    Sign up for the PaymentsJournal Newsletter to get exclusive insight and data from Mercator Advisory Group analysts and industry professionals.

    Must Reads

    legacy infrastructure

    How Modernizing IT Can Help Banks Compete With Fintechs

    February 7, 2023
    Buy Now Pay Later BNPL, B2B BNPL

    B2B BNPL Offers a High-Potential New Chapter in Payments

    February 6, 2023
    eCommerce On Social Media, social commerce

    The Rise of Social Commerce and Social Payments

    February 3, 2023
    Electroneum AnyTask; ETN Crypto, sales enablement

    Ethical Financial Selling: The Role of Compliance Technology and Sales Enablement

    February 2, 2023
    direct deposit

    Nacha Launches Campaign to Reach Millennials on the Benefits of Direct Deposit

    February 1, 2023
    Equinix Helps UK-Based Payments Provider Enable Faster, More Reliable Payments Processing

    Equinix Helps UK-Based Payments Provider Enable Faster, More Reliable Payments Processing

    January 31, 2023
    credit card tumbling

    How to Detect, and Prevent, Credit Card Tumbling

    January 30, 2023
    Why Businesses Need to Adopt Real-Time Payments as a Competitive Differentiator

    Why Businesses Need to Adopt Real-Time Payments as a Competitive Differentiator

    January 27, 2023

    • Advertise With Us
    • About Us
    • Terms of Use
    • Privacy Policy
    • Subscribe
    ADVERTISEMENT
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    • Industry Opinions
    • News
    • Resources

    © 2022 PaymentsJournal.com

    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Industry Opinions
    • Faster Payments
    • News
    • Jobs
    • Events
    No Result
    View All Result

      Register to download the Equinix report - Dojo Delivers Fast, Reliable and Secure Card Payments to Businesses on Platform Equinix