December 21 2022
Have you ever unlocked your mobile device using your face or fingerprint? If so, you’ve used physiological biometrics.
On the other hand, it’s possible that you’ve encountered behavioral biometrics without ever knowing – your keystroke activity could be logged on certain online accounts, for example.
By definition, biometrics is the measurement and comparison of data from an individual’s unique characteristics and traits. These unique characteristics can be used to identify and authenticate people either in-person or online.
There are many different themes and categorizations that fall under biometrics – you can dive into our Biometric Encyclopedia for more on that. But here, we’re focussing on the differences between physiological and behavioral biometrics and how they can be used specifically in the context of online security.
In this article, we will…
Physiological biometrics refers to the analysis of the physical characteristics of a person – such as a face or fingerprint, palm, or iris.
Generally, these traits are static – the body ages, but your palm vein lines will not change pattern. The overall shape and characteristics of your face will generally not change to an unrecognizable degree.
These physical traits can then be used to identify, verify, or authenticate that person online. For example, using your face to sign into an online banking portal.
There are other applications of physiological biometrics – for example, physical access control or face recognition (usually CCTV). You can learn more about the differences between face verification and face recognition here.
Examples of physiological biometrics may include:
Physiological features are ideal for the verification and authentication of human beings. This is why they’ve become essential for initial user onboarding and ongoing authentication in today’s digital-first world.
Traditionally, passwords have been used for authentication – but they are no longer fit for purpose as they’re not secure and cause significant friction for the user. Some physiological biometrics may offer a secure and user-friendly alternative, delivering significant benefits to organizations and users alike.
Usually, a physiological biometric system will work through two processes: enrollment with biometric template capture, followed by subsequent authentication. A system will take an initial sample of biometric data and then store it as a template in order to verify that the right person is accessing an online service when they return.
iProov favors face biometrics for the authentication and verification of users. There are a variety of reasons, but first and foremost because the face can be matched against a trusted government-issued identity document during onboarding – this provides a trusted reference image from a legally-endorsed authority to verify against. Read more about the advantages of face biometrics here.
Behavioral biometrics is the practice of identifying and measuring patterns in human activity – such as a person’s keystroke or mouse activity. This is usually a background security measure employed by organizations, which is why you may have never directly observed it happening.
Generally, behavioral biometric methods analyze the digital and cognitive patterns of a person’s activity when they are using a digital platform. A behavioral biometric system will analyze the movement and determine with a given probability whether the person interacting with the platform is the same person who set the baseline movement behavior and patterns.
If a person’s patterns and behaviors do not match what is expected, this could indicate fraudulent behavior. The system could then invoke step-up authentication or temporarily suspend the account until the threat is addressed.
Examples of behavioral biometrics may include:
Behavioral biometrics are useful for monitoring the activity of existing users or accounts to differentiate between genuine and fraudulent activity – because legitimate customers and fraudsters usually interact with digital platforms in different ways. Where you might enter information one key at a time, criminals are more likely to copy and paste their way through an online form.
Behavioral biometrics are generally most useful for detecting fraud during active logged-in sessions. This way, behavioral biometrics can play a role in preventing threats such as account takeover fraud or detecting social engineering scams and money laundering attempts by tracking anomalies in behavior.
Behavioral biometrics are less useful for the initial enrollment of users because you cannot verify someone’s behavior against a government-issued trusted identity document in order to verify that they are who they say they are. Your keystroke behavior is not on your passport, but your face is. This is where certain types of physiological biometrics become indispensable.
Two primary differences:
Other key differences may include…
However, it’s unwise to make sweeping generalizations at this level, as within each category there are many options with endless variations between vendors and technologies.
Ultimately, physiological and behavioral biometrics each have their own advantages and are generally better suited to specific use cases and scenarios. Physiological and behavioral biometrics are not mutually exclusive and can be combined as part of a wider, layered fraud management system in order to prevent fraud.
Let’s consider two real-world scenarios of where each could be used to prevent fraud:
An example of physiological biometrics preventing fraud: A fraudster has successfully stolen a person’s login details online – perhaps through social engineering or a data breach. They use credential stuffing attacks to enter the person’s password across a number of online accounts. Some accounts are cracked instantly without the need for further verification. But luckily, the bank that this person is with has implemented iProov’s Genuine Presence Assurance. This means that even a username and password and not enough to gain entry: a brief facial scan is required from the user. Now, the fraudster is thwarted: even if they had imagery of the defrauded person’s face, iProov’s Genuine Presence Assurance technology would detect that the real individual was not present and the access request would be rejected. This means the funds in their bank account are safe.
An example of behavioral biometrics preventing fraud: A fraudster has lifted a number of knowledge-based login credentials for a data breach – usernames, emails, passwords, and so on. They use these details in a credential stuffing attack and gain unauthorized access to a bank account. In this scenario, the bank has a behavioral biometric system installed. The system notes that the user session has been copy and pasting information into forms rather than entering it manually, and notes that the click paths and keystrokes do not align with the normal behavior of that account. When the fraudster goes to make a money transfer on the account, it is blocked by the behavioral biometric security system.
iProov actively champions face biometrics – a type of physiological biometrics – as the ultimate way to authenticate and verify people remotely.
This is primarily because the right physiological biometric solution can tie someone’s biometric marker (i.e. their face) to a trusted identity document (such as a passport) in order to securely establish identity and provide with the highest level of assurance that someone is who they say they are. Physiological characters are you: unlike passwords, faces are all about liveness of a human being – not secrecy.
Our position is that assuring the genuineness of users when they create an account and each time they undertake a risk-based activity on that account is the best way to ensure security.
How does it work?
It’s fast, effortless, and reassuring for the user. iProov’s Genuine Presence Assurance safeguards the world’s most security-conscious organizations around the globe for verification and authentication. Some examples include:
If you’d like to see the benefits of using face authentication to secure and streamline user authentication for your organization, book your demo here. You can read up further on our customers and case studies here.
Or, want to brush up on your biometric knowledge? Visit our Biometric Encyclopedia!