2 December 2021
Blink. Nod. Look left, look right. Read the following sentence aloud…
Sound familiar? If you’ve ever set up facial verification on a new smartphone or downloaded a new app, those instructions may well be recognizable. While some may consider these a minor inconvenience, these actions form part of an authentication process that is actually far more damaging than you might think.
As more people need to use digital services—expedited by the pandemic—and biometric verification becomes increasingly mainstream, this ‘active’ authentication scenario could be preventing people from accessing important applications and information.
Passive authentication, on the other hand, enables people to quickly and easily authenticate themselves online with public and private sector organizations. iProov’s technology delivers a truly passive authentication experience and is helping onboard and authenticate users without cognitive overload.
So what is passive authentication and why is it so important for verifying the identity of individuals online?
Passive and active authentication are defined industry terms. According to iBeta and as referenced in the global industry standard ISO 30107-1, an ‘active’ authentication scenario is one which elicits a voluntary response from the user, such as a movement, smile or blink as part of the authentication process. In a ‘passive’ authentication scenario, the user is not required to perform any actions.
If you’ve ever set up face verification on a new smartphone, you will remember being asked to move your head in different directions, read something aloud or use your eyes to follow moving dots on a screen. That is active authentication. Active authentication follows a challenge-response format, prompting you to do something.
With passive authentication, a user does not have to do anything. They are not asked to follow any complicated instructions or move themselves or their device—they simply look at the camera on the device and the authentication takes place.
Biometric verification technologies are increasingly being used to provide users of all ages and abilities with secure access to online services. Government and public service applications must be inclusive to the largest possible audience, while in the commercial world building a system that excludes people limits the reach and success of that system.
Every additional request during authentication, however minor, risks excluding people. Consider the challenge that lifting and moving a device around may pose to someone with reduced mobility, or the limitations posed by being asked to read from a screen if you have poor eyesight or reading ability. These instructions create cognitive overload, giving the user too much to consider and can result in the authentication either being abandoned or failing. This means frustration for the user and lower adoption of the service.
From a security perspective, active authentication also creates more risk. Asking a user to complete an action means that the action they complete is repeatable. Even if only repeatable for a limited number of times, this ‘repeatable’ nature makes it vulnerable to reverse engineering. In passive biometrics, the security mechanisms are ‘hidden’, so it’s far harder for criminals to create an attack that would trick a system. As fraud attacks continue to rise and become more sophisticated, mitigating these reverse engineering risks has never been more important.
iProov’s technology delivers a truly passive authentication experience. A user is asked to iProov themselves during an online onboarding or authentication process with a government department or bank or other business. The user simply positions their face in front of the camera on their mobile device or computer and a short biometric face scan is completed. There are no complicated instructions to follow, making it effortless for the user. And because the authentication processes are hidden, this makes it more challenging for criminals to attack.
Liveness detection solutions provide checks that help verify if a remote user is real and alive rather than, say, a photo being presented to a camera. Liveness detection is ideal for when the risk profile of the transaction is lower—for example, if someone is logging in to their bank account online to check their balance. The lower risk profile means that passive authentication is very important—the user will not want to follow instructions simply to check how much money they have.
Some liveness solutions, like iProov’s Liveness Assurance, deliver passive authentication. Others are active and require the user to move themselves or their device or read out words or numbers. Some liveness solutions use actions such as eye movement, which may be unprompted and unknown to the user. However, these are still more vulnerable to attack than a passive solution.
It’s important to note that not all liveness solutions are equal. Generally, liveness solutions offer protection against known attacks, such as presentation attacks, but they cannot verify that the remote person is present in real time, nor can they react and respond to new and emerging threats.
Therefore, although some liveness solutions may offer a passive user experience, they do not provide the security that can be found in the passive authentication delivered by Genuine Presence Assurance.
iProov’s Genuine Presence Assurance (GPA) is an industry leading passive authentication solution that offers greater security than liveness detection. GPA uses iProov’s Flashmark technology—a one-time sequence of colors that illuminates the user’s face during verification or authentication. This light sequence confirms a user is the right person, a real person and that they are authenticating right now. It is also equipped to respond to scalable, digital injected attacks and unknown threats.
Genuine Presence Assurance offers a reassuring ceremony to the user. Authentication processes that are too quick or invisible can make us feel unsure of the security levels—especially if the speed of the process doesn’t align with the sensitivity or importance of the scenario, such as when we are making a sizable transfer of funds online. The brief light sequence offers reassurance that additional security is taking place, without creating the unnecessary friction of requesting us to complete other actions.
Improving security often comes at the cost of the user experience—and vice versa—but truly passive authentication demonstrates why this needn’t be the case. Biometric verification and authentication are already bringing huge benefits to consumers all over the world in numerous applications. As technologies like facial verification continue to be rolled out more widely, it is imperative that organizations implement passive authentication experiences that champion truly accessible, inclusive biometric authentication.