The dual promise of biometrics
Biometrics, once a tool that existed only in science fiction, has now achieved global reach. Adoption is prevalent and has become a customer expectation – in a recent study by Visa, more than half (53%) of customers indicated they would go so far as to switch banks if they weren’t offered convenient biometric authentication options. Their top reasons for appreciating biometrics included no longer needing to remember passwords, improved security over passwords, and no worries about forgetting or losing an authentication method.
Consumers have demonstrated that they are eager to use biometric technology to achieve stronger security and greater convenience, and that they trust the privacy and security of these tools. Biometrics give customers a sense of peace of mind, since they can’t be intercepted like a one-time passcode (OTP) or socially engineered like a password. They can’t be shared or stolen, and they’re not lost when customers need to re-authenticate on a new device, like a new phone.
In this blog, we’ll explore how biometrics help organizations balance security and user experience (UX) challenges to deliver a biometric authentication that ensures a secure and low-friction experience. We’ll also look at the innovative technologies that can help organizations deliver both security and usability in biometric implementations.
Top concerns around biometric authentication
Biometrics versus “something you know” authentication
Before discussing concerns around biometrics, it’s worth putting the methods into context. While passwords and one-time passcodes (OTPs) are the most commonly used authentication methods today, they suffer from vulnerabilities that biometric authentication has been explicitly designed to avoid. A password, for example, can be guessed, stolen, phished, socially engineered, shared, or even forgotten. This makes them only as secure as the individual holding them.
OTPs are also vulnerable. SMS codes can be intercepted through SIM swaps or man-in-the middle attacks, and email-based OTPs can be retrieved if the inbox or a device with access to it is compromised. Both are also easy prey for social engineering techniques, as attackers can trick users into providing them via a phone call or a phishing attempt.
These methods can also be notoriously inconvenient for users. Password rules require numerous characters, symbols, numbers, and capitalization – and while this prevents password reuse, it also makes passwords difficult to impossible to remember. And OTPs are seen by many users as an inconvenient extra step that unnecessarily slows down their login process.
Biometric security concerns
While biometrics are not vulnerable to attacks like the phishing and social engineering attacks discussed above, there are a few areas where biometric security comes into play.
A primary concern with biometric authentication is the prevalence of spoofing and presentation attacks. For example, by using physical items like high-resolution photos, synthetic fingerprints, silicone masks, a device that plays a video in front of a camera, or even 3D-printed heads, attackers can attempt to bypass biometric systems through a spoofing attack. This is especially effective against less sophisticated systems or those that use partial matches, such as an on-device sensor that only requires a partial fingerprint match. Physical deception isn’t the only risk. In injection attacks, fake biometric data is introduced into the system’s input, completely bypassing the authentication hardware. The system believes it has been fed live data, even though it’s been “injected” with forged data. (Read more in our blog on biometric injection attacks.)
Secure storage of biometric data is also critical, as there is no way to truly mitigate a breach of this confidential data - biometric identifiers, unlike passwords, cannot be reset. The threat, however, is mitigated by the nature of biometric templates. They are not raw images; instead, they are a mathematical template built by extracting key features and the distance between them (for example, specific points on a face or ridges on a fingerprint). They are one-way, that is, not reversible, and cannot be used to reconstruct a face or fingerprint that becomes a spoofable biometric. Additionally, they’re often vendor-specific, further limiting any utility they might have across systems.
User-experience concerns
Hesitancy to implement biometrics is usually due to organizations equating multiple steps leading to drop-offs, because they create friction for users. In reality, this perception is rooted in older approaches like active liveness checks, where a user was required to blink, turn their head, or follow other prompts. Modern approaches to liveness detection are passive, performing these checks in the background with no effort required. Biometric authentication processes deliver strong login protection without introducing friction into the user’s behavioral flow.
Another area of concern is algorithmic bias, which presents challenges both for security and user experience. Many systems have been trained predominantly on white, male faces, and may have difficulty accurately recognizing women and/or people of color. This can have a significant impact on their usefulness, as well as on how well they are trusted, even outside of the impacted population.
Fortunately, advances in biometric technology address these user experience concerns while maintaining a robust level of security.
Reducing friction with passive liveness detection
Passive liveness detection, in contrast to active liveness detection, operates behind the scenes and requires no additional user effort or interaction. Passive systems are trained to identify a multitude of elements, including lighting, shading, facial depth, and micro-movements. Once users present their faces, the check is performed automatically in the background. No effort is required by the user, making the process seamless and often undetectable.
In a recent success story from a financial institution, switching from active to passive liveness detection led to a jump in completion rates from around 60% to over 95% without increasing spoof-detection errors. Customers felt like they were taking a selfie, which most people are comfortable doing, rather than feeling forced to undertake unnatural efforts that feel like enhanced scrutiny. Overall, this resulted in higher conversions and greater revenue for the institution.
Enhancing biometric security with liveness detection
Liveness detection is the primary defense against biometric presentation and injection attacks.
Active vs. passive liveness
Active liveness is an explicit challenge/response mechanism. As we saw in the case study earlier, it requires a user to perform a specific action, like blink, turn their head, or smile. The process can detect simple spoofs, like a high-quality printout, but introduces friction into the authentication process and can be bypassed by some high-quality deepfakes, both digital and physical.
In contrast, passive liveness works without any requirement for explicit user participation. It analyzes thousands of subtle signals, which may include reflections, 3D depth of facial features, lighting irregularities, and other indicators. The technology is more robust due to its multiple layers of analysis and its ability to work consistently across devices.
Presentation and injection attacks
Liveness detection can prevent physical spoofs — like printed-out photos and 3D masks — as well as digital injections that have bypassed the biometric sensor and fed fake biometric data into the system. That said, some injection attacks can bypass liveness if the check is run on a compromised device. By combining liveness with cloud-based biometric matching, this threat is mitigated because the check is performed off the device.
Defense in depth
A layered, effective biometric solution will combine liveness detection with algorithmic matching, document verification technology and risk-based analytics and scoring. Passive liveness filters out spoofs, and matching ensures that the face or fingerprint captured belongs to the correct person. Then, behavioral analysis monitors the overall interaction for anomalies. With this layered approach, institutions can provide a strong defense without any burden to the user.
Cloud-based vs on-device biometric processing
Security perspective
Devices are vulnerable. Phones and laptops can be stolen, compromised (e.g., hacked or infected with malware), lost, or damaged. Because of this, cloud-based authentication is a popular option as it removes these risks from the equation. It also has numerous advantages when it comes to keeping threat detection algorithms up to date. When authentication is processed in the cloud rather than on-device, cloud providers can also deploy real-time updates across the entire network, making it easier and faster to adapt to novel fraud patterns. Additionally, cloud systems benefit from cross-platform intelligence where machine learning ensures every attempted attack improves detection algorithms for all users, not just on one device. These systems will have advanced spoof detection and injection attack detection powered by AI systems that leverage the processing power of the cloud and offer improved security over on-device solutions that can be bypassed with a PIN.
In contrast, on-device biometrics stores templates locally, which makes it possible for authentication to work offline. The tradeoff is that these systems are less adaptable to new fraud patterns. They rely on the device and/or its user to apply regular updates to software and drivers.
UX and scalability
Cloud-based biometric authentication can improve cross-device experiences by allowing users to easily authenticate across apps, devices, and geographies, consistent with how most users expect to be able to access services. The device on which they enroll is probably not the only device that they own, and they expect seamless access whether they’re on their laptop, phone, or tablet, wherever they might be at the time. Cloud processing also supports identity recovery if the device on which the user has enrolled is replaced, lost, stolen or damaged. The template resides in the cloud, so it can be used to recover their account.
Local processing often has the advantage of working more quickly as data is not being transmitted, though this is typically a matter of microseconds. It also can work offline and anywhere, making it useful, for example, if someone has taken their work laptop to a remote or secure location. The major downside is that when a device is lost, the biometric identity information is lost with it.
What’s right for you?
There is, of course, no one-size-fits-all approach to biometric authentication. Organizations must clearly assess their fraud risk, user behavior and demographics, the regulatory environment in which they operate, and the access channels they support.
For example, organizations that process high-risk transactions and have global user bases will find that cloud-based liveness detection and matching provide highly adaptive security and cross-device flexibility. For those in privacy-sensitive/classified environments or conducting offline work in remote locations, on-device storage minimizes data exposure and works without a network.
Building trust through security + seamless UX
Users expect the identity verification process to be secure and effortless, especially when biometric authentication is involved. They also place a high value on the use of biometrics as a security measure. In a recent study by Visa, convenience factors like not wanting to remember passwords only narrowly outranked the belief that biometric authentication provides better security than passwords as the top reason for wanting to use it.
To build trust in the process, institutions can take several steps:
-
Combine passive liveness detection and cloud intelligence with UX best practices. Passive liveness detection ensures the process remains frictionless and effortless for the user, while maintaining strong defenses against spoofing. Cloud-based, centralized threat monitoring keeps defenses continuously updated. Both keep the user flow streamlined, for example, requiring one selfie to be taken, minimizing abandonment.
-
Provide transparency about data usage. Alleviate any concerns that consumers might have about how their data is collected, stored, and deleted. A fully transparent data usage policy, including provisions for how a consumer can request the deletion of their data, addresses all of these points and boosts confidence.
-
Ensure inclusivity and fairness. To address bias and ensure consistent accuracy for all customers, choose a vendor that has conducted performance testing across numerous demographics and follows standards, such as FIDO’s Face Verification Certification, which helps ensure consistent performance across all skin tones, ages, and genders.
Where security means simplicity
Biometric adoption is accelerating, and for good reason. Modern biometric solutions now deliver the rare combination of strong security and effortless user experience. No more trade-offs.
The biggest breakthroughs come from passive liveness detection and cloud-based intelligence. Passive liveness eliminates awkward gestures and boosts completion rates, while cloud-powered systems enable real-time adaptive threat monitoring and seamless cross-device authentication.
Together, these innovations prove that a layered approach to biometrics can achieve what once seemed impossible: security, privacy, inclusivity, and simplicity, all at once.
Organizations that embrace this balance don’t just cut fraud and stay compliant; they eliminate customer frustration and win their trust and loyalty in the process.
Ready to take the next step? Discover how Mitek’s proven liveness detection and biometric solutions keep your customers safe while ensuring every interaction is seamless.
About Becky Kiichle-Gross
Becky Kiichle-Gross is Principal Software Product Manager at Mitek, where she leads the development of the company’s image capture and multimodal biometric authentication solutions. Becky has a deep understanding in product development and has managed several product launches across markets including retail, healthcare, aerospace, and banking. With extensive expertise and a passion for solving customer problems, Becky is instrumental in driving innovations that help clients combat fraud and bolster trust.