Password-less Banking: Understanding Biometric Authentication and Liveness Detection better

Gartner expects that by 2022, 60% of major and worldwide firms, as well as 90% of mid-size businesses, will employ password-less authentication methods in more than 50% of use cases. Because passwords can be guessed, stolen, or broken, they are inconvenient and riskier than other authentication mechanisms available today. Biometric authentication in banking, which uses fingerprints or facial recognition, is a far more secure method of identification. A number of biometric systems now include an additional layer of protection called Liveness detection in order to improve public acceptability and support, as well as to reduce security breaches and misidentification in banks. This aids in the fight against account takeovers and other types of fraud.

Account Takeovers

Account Takeover (ATO) fraud is becoming more and more of a problem. ATO has proved to be a major issue for both customers and merchants in the e-commerce industry. In 2019, 7,000 data breaches occurred around the world, compromising 15 billion user records. The consequences have been devastating. ATO attacks increased by 43% during the recent COVID lockdown. ATO has cost the US market USD 6.8 billion, and the costs are expected to rise since 32% of victims refuse to return to a merchant whose security has been compromised. According to IBM security, the average cost of a data breach is USD 3.86 million. Every minute, about 28,000 bank credentials are stolen. Traditional password and authentication approaches are no longer sufficient to protect your data from ATO attacks.

Is Passwordless the Right Way to Go?

Over 80% of data breaches are the result of widespread password compromise. According to a recent Visa survey of 1,000 U.S. consumers, biometric authentication is favored over password-based verification by the vast majority of respondents. The benefits of biometric authentication that respondents most frequently mentioned were not having to memorize numerous passwords/PINs and not forgetting/losing a form of authentication. The most significant distinction is that public-key cryptography replaces the usage of shared secrets such as passwords, PINs, and OTP. Private keys are kept in safe enclaves on your phone, and biometric technology like FaceId or TouchId is used to unlock the credentials, which are then confirmed against an authentication server using public key cryptography. The ‘Apple Secure Enclave,’ or ‘ARMS Trustzone in Android,’ is a device’s separated processor. Without the biometric sensors that only the device owner should have: a unique TouchId or a FaceId, the credentials saved within the safe enclave cannot be tampered with, even if your device is stolen or infected with malware.

Biometric Authentication is More Secure

Biometric authentication is more secure than other techniques of authentication. The ability to detect or prevent the impersonation of a living person’s biometric trait is critical to a reliable biometric authentication system. A fingerprint, “faceprint,” or any other biometric modality isn’t just another type of password or token. There’s no way to tell who’s providing a password without more investigation. You just know the password was input and that it corresponds to the back-end password. A reliable biometric authentication system, on the other hand, with effective liveness detection and anti-spoof mitigations, provides an extra indicator of confidence by validating the subject/person providing the biometric sample for verification because the fingerprint or face is displayed in real time and is linked to the in-person user.

Liveness Detection in Biometric Authentication

Liveness detection is a useful security tool that can help ensure that biological identifiers are from the identified user and not from a spoofing attempt. It is the ability of an automated system to recognize that it is interacting with a real human, rather than an inanimate spoof picture or video. Lip or eye movement, suggested motion, texture and reflection detection on video, zooming motion detection, and 3D depth analysis are all things that liveness detection looks for.

Active and Passive Liveness Detection

Passive liveness detection detects spoofs using encoded techniques that do not require any input from the user. Active liveness detection employs techniques that require the user to execute certain activities, such as blinking or moving their face. This makes spoofing the system more difficult and time-consuming for a phony user. For example, if you use facial recognition to enter into your banking app, it may utilize an active liveness detection system to ask you to blink as it scans your face. If the banking app uses passive liveness detection, it may scan your face for unique depth contours to ensure that a real person is there. Although liveness detection methods take a little longer to identify people, they provide an added layer of security that is well worth the wait.

Prevents Spoofing

A scammer might use spoofing attacks to impersonate someone to defeat biometric authentication processes. Biometric identity proofing can be used as part of an onboarding process to verify that the applicant is a genuine person, like how biometric authentication verifies that the user is the same person who initially enrolled. Using a mobile banking application to open a new account is an example. Because the applicant is unknown to the bank, liveness detection can be used to ensure that they are not attempting to open a counterfeit account.

Sign Up for our 6-months free eKYC Solution

Signup for free trial

Request a Demo