19 October 2021
A key question for anyone evaluating biometric technologies is: should the authentication take place on-device or in the cloud?
At iProov, we believe that cloud-based, or server-side, biometric authentication is the only option to securely authenticate users remotely. If you use iProov, you are buying a cloud-hosted solution. We use the cloud because:
In this article, we’ll discuss the advantages and applications of cloud-based versus on-device authentication.
Scenario 1, cloud-based biometrics (with iProov Genuine Presence Assurance): You need to send a large sum of money to a friend. You access your bank via your mobile device or computer. First, your bank needs to double-check that you are the genuine account holder so it can authorize the transaction. To do this, it prompts you to iProov with Genuine Presence Assurance. You present your face to the user-facing camera and a short sequence of lights illuminate your face. The imagery and unique sequence of lights is sent to the server to be analyzed and verified against the image you provided at onboarding. This ensures you are the right person, a real person, and are authenticating right now.
The entire authentication process happens server-side, independently from the device. This means that a device affected by malware, for example, will not compromise the authentication process.
Scenario 2, device-based biometrics: You begin the process of transferring money via your mobile device. Again, your bank needs to confirm that you are who you say you are, so you authenticate using biometrics (such as by presenting your face to the camera or fingerprint to a sensor). Only this time, the entire authentication process takes place on the device, which means it is dependent on the device being secure. If the device has been stolen or hacked, the bank or other organization would not be able to detect this and the transaction could potentially be fraudulent.
So, the former processes the authentication on a cloud server, and the other processes the authentication locally. The main difference is the additional security that cloud-based authentication affords over device-based authentication, but there are also many other advantages to using the cloud.
Before we move on to look at the advantages of cloud in more depth, let’s consider when organizations use biometrics for online identity verification and how the cloud is used in each one:
Organizations, therefore, need to offer cloud-based authentication, as it forms an essential part of the online customer lifecycle – critical for onboarding, identity recovery and for any transactions that carry risk.
Why is cloud-based biometric authentication more secure than on-device?
On-device authentication can be trusted if—and only if—the integrity and identity of the device and its user can be trusted. If a device is compromised through malware or a digitally injected attack, then the user’s biometric data could be extracted or spoofed.
This means that, for an organization, each device is a source of risk. Due to these potential insecurities, on-device biometric authentication should only be used for low-risk, everyday scenarios such as unlocking a device.
The bottom line is: with cloud-based biometrics, organizations can protect themselves against the risk of fraudulent authentications taking place on compromised devices. This is a huge advantage as cybersecurity threats evolve.
The privacy of data depends on the company collecting it and the operational environment.
For instance, at iProov we use a privacy firewall and strong encryption techniques to protect highly sensitive data to safeguard the user’s confidentiality. The biometric imagery is stored as an encrypted biometric template, which is referred to using an anonymous pseudonym. This is not associated with anything that could reveal the users’ identity, so would be completely worthless to attackers.
This means that even if attackers manage to break into iProov’s cloud-based system, there would be nothing worth stealing. But if an attacker manages to break into user devices, they have access to the user’s identity – their image, their personal data, and access to their apps and services.
Ultimately, privacy of data comes down to how it is used, the company using it, and the laws and regulations they adhere to. Cloud-based identity verification providers, such as iProov, are regularly audited and comply with ISO 27001 and 27701 certifications, validating the security and privacy capabilities of the cloud for managing data securely.
It’s easier for cloud-based applications to be deployed across a wide range of platforms and hardware. iProov technology in particular can be deployed on any device with a user-facing camera, including:
Once the user is ‘iProoved’ with a particular organization, they’re immediately able to access the service or account on any device.
With an on-device solution, a user would lose access to that organization’s online services if the device they had verified on was lost, stolen, or damaged. Identity recovery would be necessary to get them up and running again. This is because the device ID will be linked to a user’s ‘profile’, and if the device ID changes they would need to re-onboard and reverify. However, with iProov, once you’ve verified you can simply authenticate on any device, even if the original device was lost, broken or stolen.
The cloud can also enable organizations to reach the widest possible audience online. With iProov, you can ensure that users have access to your digital services even if they don’t have access to a smartphone, computer, or tablet.
iProov’s cloud-based technology can be extended to kiosks to ensure that people are not excluded from securely accessing services. These kiosks can either be offered unsupervised in shopping malls or travel hubs, or situated in banks or government offices where staff can be on-hand to offer support.
And across all of these devices, iProov ensures a consistent user interface—designed to combat selfie anxiety—to reassure customers.
iProov’s cloud-based technology also makes identity recovery simple. Data shows that people replace their phones around every three years, which means many people need to recover their identity on services or apps every year. This poses two main problems:
Because iProov authentication occurs on the cloud and not on the device, recovering identity on a new or replacement device is simple. iProov creates trust in the person holding the device rather than the device itself. All that’s needed is a brief Genuine Presence Assurance face verification on each device, rather than resubmitting all of your documentation or needing to speak to a customer service representative to prove your identity.
This also means that, if required, user journeys can be started on one channel and completed in another.
Here’s what it looks like in practice: A bank’s customer is travelling abroad and loses their mobile phone and credit cards. To access cash and arrange for replacement cards, they use a friend’s device. They authenticate themselves in the same way they would have done on their own device—an effortless biometric face scan processed on the cloud. This simple process enables the user to access the required services with a recognisable, reassuring customer experience. No biometric information is left on the shared device, reducing risk and protecting privacy.
This is why iProov is trusted by some of the world’s most demanding organizations—such as the US Department of Homeland Security, the UK Home Office, Knab, and Rabobank—to provide secure online user verification and authentication.
If you’d like to know more about how our cloud-based biometric technology can help your organization to verify and authenticate users, click here to book a demo.