July 2, 2021
Biometric verification and biometric authentication both use unique physical characteristics (a biometric) to prove that a person is who they say they are securely online. But each has a different process and different use cases.
Biometric verification is the act of matching a unique biometric characteristic (i.e. a face) against a trusted identity document (such as a driver’s license). This is typically used when an individual is onboarding or enrolling for a service online for the first time.
Biometric authentication validates the unique biometric characteristic (i.e. the face) against the biometric template created during the verification process. This is used when an individual is returning to use an online service after they have onboarded or enrolled.
The best biometric solutions do more than just match biometric data: they must also ensure that the person presenting their biometric is a real person (not a photograph or video used in a presentation attack) and that they’re presenting right now (not a digitally injected attack).
Let’s take two real-world scenarios to further clarify the difference between the two…
What is biometric verification?
Scenario 1: You’re signing up remotely for a new online bank account. To onboard securely, you complete the application and are asked to verify your identity. You scan your driver’s license (or other trusted identity document) using your mobile device. You then scan your face using your device’s user-facing camera. The biometric technology matches your live face against the face on the license. In this scenario, Dynamic Liveness is needed to ensure that you are the right person and a real person, verifying in real time. The process proves that you are who you say you are – your identity is approved and the bank opens your new account. This is an example of biometric verification. Your face biometric is verified against the photo in a trusted identity document to confirm you are who you say you are.
What is biometric authentication?
Scenario 2: A week later, you want to check your bank balance online. The bank asks you to authenticate by presenting your face to the camera, which is then matched against the biometric template that you created during the onboarding process. In this scenario, biometric authentication can be delivered using liveness detection, which confirms you are the right person and a real person. If you wanted to transfer $5000 to a friend, the bank can use Genuine Presence Assurance instead of liveness for additional security. This is an example of biometric authentication. You reconfirm your face biometric against the biometric you provided during onboarding to confirm that you have the right to access the account.
Both biometric verification and authentication are integral parts of secure, convenient online security processes. The right biometric solution can help your organization to prevent fraud or other cybercrime without inconveniencing your customers.
iProov’s cloud-based facial biometric technology provides the most secure and convenient way to verify remote users (…and we explain why below!).
Why do you need biometric verification?
Biometric verification should prove three things:
- That the presented biometric data matches a trusted identity document
- That the biometric data is presented by a real person
- That the biometric data is presented in real-time
Step 1 ensures that the biometric data matches a real-world, verified identity. This usually happens by verifying the presented biometric against government records, using a trusted identity document such as a passport or driver’s license. Biometric verification is not just about two pieces of data matching each other – it must also match a government-verified identity.
Step 2 ensures that the person presenting their biometric is a real person – many solutions are caught out by attacks that use artifacts, such as masks or photographs.
Step 3 is where iProov’s Genuine Presence Assurance technology is unique. Liveness solutions cannot guarantee that the face being presented during the onboarding or authentication process is actually being presented right now. This leaves them vulnerable to digitally injected attacks, which inject media directly into the data stream and bypass the camera and other device sensors. Digitally injected attacks can use synthetic media such as deepfakes, where a fraudster creates a fake person or takes a photo of a real person and animates it. iProov’s Genuine Presence Assurance supports you across all three steps.
The onboarding of an online user is critically dependent on that person being the right person, a real person, completing the process right now – fraudsters using stolen or fake identities can do a lot of damage if they are not spotted at the onboarding stage. You can read more about the patented Flashmark technology behind this here.
Once you have all three, you can safely and securely identify users during onboarding. Biometric often verification forms a part of organizations’ regulatory processes, such as Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance. These regulations set out that organizations must be able to prove that they’ve verified the identity and assessed the risks of those they’re doing business with.
Biometric verification eliminates the need for lengthy manual processes during onboarding, such as scanning and signing documents. There’s no need to travel and verify your identity in person. Biometric verification allows your users to verify their identity no matter where they are, and enables them to do it in an effortless way.
Without the security that biometric verification provides during onboarding, you leave the door open for scammers and fraudsters to abuse your online services. One 2021 report found that 1 in 7 new account creations are fraudulent, and another found identity theft in the US rose by 72% between 2018-2019.
Biometric verification safeguards against:
- Financial loss due to illegitimate or fraudulent applications
- Additional overheads due to fraudulent customers, the cost of manual verification, and becoming overwhelmed by high volumes of illegitimate applications
- Negative publicity if your onboarding process lacks security, enabling bad actors and impersonation attacks
- Financial penalties from regulators
When do you need biometric verification? (Examples):
- Opening a new bank account
- Onboarding customers or citizens remotely
- Onboarding or registering for any digital service, such as age screening
- Applying for government aid and services
- Applying for a visa
Why do you need biometric authentication?
Biometric authentication reconfirms that a person is who they claim to be every time they log in or make a transaction. This ensures that the person attempting access ( the ‘visitor’) and the person who created the account (the ‘owner’) are the same person, by matching biometric data.
iProov offers Flexible Authentication to enable organizations to apply the right level of security to each authentication, using either Liveness Assurance or Genuine Presence Assurance. If an individual wants to access their bank account to check a balance, for example, Liveness Assurance offers effortless convenience with the appropriate level of security. If the user wants to transfer $5000, then Genuine Presence Assurance delivers the additional reassurance that the request is not part of a digitally injected attack.
There are scenarios in which you can have authentication without verification: for example, Apple’s FaceID does not require you to verify your identity to set up the authentication which locks your device. But most applications require verification before authentication.
Biometric authentication is crucial because verifying a person’s identity once is not enough. You must also regularly ensure the account has not been compromised. Authentication enables you to continuously ensure that the person onboarded with your organization is the same person attempting to log in each time.
It’s like creating a password for your bank account: you enter it again every time you log in or make a large transaction. The difference is that biometric solutions, such as face verification, achieve this with greater ease for the user and stronger security.
Biometric authentication safeguards against:
- Financial loss due to identity theft and account take-over
- Loss of customer trust and negative publicity if data is accessed illegally
- Customer frustration caused by alternative authentication methods, eg passwords
When do you need biometric authentication? (Examples):
Biometric authentication is often used as a replacement for passwords, or as an additional factor as in multi-factor authentication and step-up authentication. Applications include…
- Unlocking a device, such as your phone
- Signing into a verified account, such as a bank account
- Approving a transaction, such as an Apple Pay payment or bank transfer (particularly in light of European Strong Customer Authentication regulations)
- Accessing company software applications or sensitive data, such as medical health data
- Resetting credentials and recovering accounts
To summarise:
- Both biometric verification and authentication enable organizations to confirm that an individual is who they say they are in non-face-to-face scenarios, establishing trust and security online
- Biometric verification checks an individual’s face or other biometric against a trusted government identity document and is used for onboarding and enrollment
- Biometric authentication checks that a returning user’s face or other biometric matches the biometric that was created during the verification/onboarding process.
- iProov delivers both biometric verification and biometric authentication, offering the highest levels of security and customer experience.
To see how iProov can help your business deliver verification and authentication, book your demo here or contact us.