Biometric Verification and Risk-Based Security Measures-An Ideal Combination?

In today's digital age, the need for secure and user-friendly authentication methods has never been more crucial. One such solution that is gaining traction is biometric verification, which is becoming an integral part of the risk-based authentication (RBA) framework.

Barclays, a pioneer in voice recognition in banking, has seen remarkable success with its voice biometrics solution. Within a year of its introduction, more than 84% of their customers were enrolled, demonstrating the growing acceptance and convenience of this technology. Modern solutions like Regula Face SDK offer instant facial recognition and prevent known presentation attacks, making them a reliable choice for security-conscious institutions.

Fingerprints, a staple in security for decades, are still widely used, particularly for local device unlocking that participates in a broader RBA scheme. They are found on billions of smartphones and many laptops, keyboards, door locks, and more. Iris scanning, known for its extremely low false match rate, is often used in border control, such as immigration kiosks.

However, biometric systems are not immune to deception. High-resolution displays and video loops can trick systems, as can 3D masks and prosthetics if depth detection is lacking. This is where RBA comes into play, dynamically adjusting its requirements based on the calculated risk of each attempt. Key factors in the risk calculation include device and network context, user behavior and history, behavioral biometrics, transaction characteristics, and user identity.

In an RBA system, biometrics are typically used as a step-up authentication method when a login attempt is deemed high risk. For instance, facial recognition is often the go-to for verifying identity in suspicious logins or transactions, as it's stronger than a PIN yet not too burdensome. Procedures like facial recognition have extremely low failure rates while still taking just a few seconds and not demanding too much of the user.

Voice biometrics excel in banking and customer service scenarios, and they are also being explored for authenticating in IoT contexts. However, voice replay and cloning can sometimes work if the system doesn't use a challenge-response mechanism. To combat this, many biometric vendors are implementing deepfake detection into their products.

AI-generated deepfakes are a disruptive threat to biometric verification, as they can impersonate individuals during a biometric check. A chilling example of this was seen in early 2024, when criminals created a deepfake of a company's CFO and other employees to trick a finance officer and steal $25 million.

Despite these challenges, the market for RBA is projected to triple, reaching an estimated $16.5 billion by 2032. Companies like DocuSign, which uses AI-driven biometric identity verification for secure document signing, and Regula, which develops forensic-grade biometric verification solutions integrated with document checks, are leading the charge. Even traditional security providers like Idemia and Sopra Steria have implemented the EU-wide Shared Biometric Matching System (sBMS) for centralized biometric matching.

In some cases, institutions may want a human in the loop for very sensitive actions if anything looks off in the biometric verification process. This human oversight ensures that even the most advanced systems have a safety net against potential errors or malicious activity.

In conclusion, biometric verification and RBA are shaping the future of security, offering reliable, non-intrusive solutions that cater to our increasingly digital lives. As technology continues to evolve, so too will the methods used to protect our digital identities.