Forbes Technology Council | COUNCIL POST REPRINT
As enterprises look to improve the user experience in all customer touch points, many are incorporating biometrics into customer authentication — one of the most annoying parts of any customer interaction.
Facial biometrics has emerged as a popular biometric for a number of reasons. The user experience is familiar, similar to taking a selfie, and cameras on mobile devices provide ubiquitous accessibility. Furthermore, facial recognition works. According to tests conducted by the National Institute of Standards and Technology (NIST) of 127 software algorithms, facial recognition failed just 0.2% of the time.
Yet while the use of facial recognition is increasing, even the most advanced systems face determined fraudsters looking to exploit vulnerabilities. Face recognition algorithms verify a match, but they do not differentiate a “live” face from a nonlive face. This does not matter in a supervised area where a retail salesperson is monitoring self-serve kiosks. However, for remotely setting up a new account on a mobile device or authenticating existing users, this poses a significant risk.
Fraudsters deploy a clever array of impersonation tools to exploit facial recognition algorithms that look only for matching features, and these impersonation tools will continue to become more sophisticated as facial recognition technology becomes more common. The facial biometric industry refers to these fraudster tricks as presentation attacks, or more commonly, spoofing.
Some presentation attacks include:
- Photo or video attack: Fraudsters gain access to a photo or video through a simple Google search or an individual’s social media account.
- Synthetic video or deepfake: Fraudsters take either a photo or video and, through editing with animation software, create a realistic version of the individual talking and nodding their head.
- Model or 3-D mask: Fraudsters invest in three-dimensional masks or custom-created models that mimic an individual’s physical likeness.
Enter Facial Liveness
While facial recognition answers whether the person is the right person, facial liveness detection answers whether the person is a live person. Liveness detection confirms the presence of a user’s identification credentials and that the user is physically present, whether on a mobile phone, a computer or tablet or on any camera-enabled device.
Two key methods of integrating facial liveness are available: active and passive.
Active facial liveness is the most common option deployed in today’s biometric systems. With it, users are issued a challenge like turning their head, blinking or smiling, and the system waits as they complete the task. Sometimes, the system randomizes these tasks to protect against a synthesized video of a user performing the requested actions.
However, there’s a possibility that active liveness could add confusion to the user’s experience rather than eliminate it. Part of this stems from the fact that because active liveness applications can require a variety of different functions to complete, no common industry standard exists among them. Without a common standard, companies risk adding an unfamiliar and clunky step — unnatural friction that frustrates users and leads to increased abandonment, especially for new customers who don’t understand why these steps are necessary. Clearly communicating why these actions are required will go far in mitigating any disruption users experience due to active facial liveness.
The other option for liveness detection is passive liveness detection, which requires no additional effort from the user. Instead of requiring a specific step at each login (blinking, smiling, turning your head), passive liveness is invisible to potential fraudsters and provides no way to study the user’s actions to create video replays for AI modeling attacks.
Ironically, the lack of friction in the login process could create customer uncertainty surrounding the implementation of passive facial liveness detection and biometric authentication. Passwords and the friction they add have been central to authentication since the advent of the internet. Users may be unsure about transitioning away from known processes and may be reluctant to adopt new systems. Biometric systems are designed to be less visible, and the fact that passive liveness requires no additional effort may paradoxically make some users wary.
Enterprises should explain how passive liveness adds security — even though users won’t see it happening — and offer FAQs that reassure users on how biometric authentication works. Businesses should consider integrating an ever-present icon that indicates a user has been positively verified and the interaction is secure, similar to how the “s” in “https://” gives users instant confirmation that a transaction is secure when web-browsing.
Whether active or passive, a key consideration for businesses in regard to authentication is the quality of the customer experience and how best to support overall usability. Recent research from PYMNTS.com’s Checkout Conversion Index underscores the high cost of friction—almost 70% of carts are abandoned, resulting in nearly $260 billion in lost revenues. Experian found one-third of consumers would conduct more transactions online if there were fewer security hurdles.
Users consistently rate an enhanced user experience as a primary reason for their interest in biometrics, and firms should evaluate liveness detection on its ability to keep customers safe and satisfied.
Biometric adoption is increasing rapidly. Frost & Sullivan found that rising demand among consumers for a better balance of convenience and security will drive the North American biometrics industry to $11.1 billion by 2023. Facial recognition will continue to improve as machine learning and artificial intelligence reduce error rates and increase biometric matching speed.
However, businesses need to recognize that all biometric modalities should have additional security layers. Bad actors looking to bypass onboarding, KYC or authentication procedures are constantly looking for security vulnerabilities to exploit, and liveness detection or antispoofing solutions are necessary to make biometrics as secure as they can be.
Before implementing a new biometric system, I believe you should evaluate your current UX to see where your current customer pain points exist during authentication. Next, determine whether biometric modes can benefit the UX, and if so, explore the different modalities to find the most seamless integration. Lastly, add liveness protection — active or passive — to ensure your business is prepared not just for the fraud of today, but to prevent the AI-based fraud of tomorrow.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives.