It’s tax season, and we can’t help but think back to last year, when the IRS announced they would no longer force the use of ID.me’s facial recognition system for identity verification. The announcement came after weeks of backlash and concern by privacy watchdogs about the collection of sensitive biometric data.
Critics complained that making taxpayers submit facial scans to a third-party service to access essential government documents and services constituted an invasive violation of consumer privacy. We have to agree, and in fact we’re a big believer in behavioral biometrics as a much better solution – more on that later. First, let’s dig into the issues.
For the IRS, the issue centered around the need to ensure taxpayers can securely access and monitor their accounts. Tax returns are a frequent target by fraudsters and scammers, who often use tax information to steal people’s identities or claim to represent the agency in the collection of fake debts. Billions of dollars are lost to these types of fraud every year, especially during tax season.
Privacy advocates emerged victorious in the latest battle between privacy vs. security, but the case offers a unique opportunity for inflection. When is it appropriate to collect sensitive biometric data? Are there alternatives to collecting physical biometric data that governments and the private sector should consider when balancing the need to protect consumers and their privacy?
Today, it’s clear that purely knowledge-based systems of identity verification, such as passwords or answers to security questions are no longer sufficient. It’s too easy for cybercriminals to steal or cheat their way into getting this information. Organizations have a legitimate need to authenticate users by other means.
The Downsides to Facial Recognition
Facial ID systems are great for convenience – which is why billions of people around the world now use facial recognition, particularly to access their smartphones.
However, many remain divided on the technology and its applications. A Pew study found 46% of Americans say widespread use of facial recognition technology by police would be a good idea for society. Yet, the same survey also found that 57% of Americans oppose social media sites using facial recognition to automatically identify people in photos.
Facial recognition can also be inaccurate – easily tricked with masks and 3D renderings. The technology isn’t without bias either, since it tends to better recognize men vs. women and white people compared with other ethnic groups. The controversy over facial recognition has even led some states to ban the use of certain forms of facial recognition by law enforcement.
As society grapples with how to use facial recognition technology, organizations can (and should) adopt alternative forms of identification to enhance security without jeopardizing privacy. These technologies don’t rely solely on knowledge-based verification or physical biometric data, and often result in a better user experience.
Behavioral Biometrics vs. Physical Biometrics
For organizations looking for a more privacy-focused alternative to facial ID, behavioral biometrics offer very clear advantages. Unlike physical biometrics, such as fingerprints or facial scans, behavioral biometrics deal with characteristics unique to each person’s actions in the digital world. And there are any number of behavioral biometric parameters that sophisticated software systems can use to detect if someone is who they say they are. For example, various behavioral biometric verification systems may include:
- Mouse activity
- Keystroke movement
- Touchscreen behavior
- Device movement
Because behavioral biometrics use first-party data to track abnormalities from expected behavior, it’s considered a frictionless solution. Legitimate users don’t have to do anything they don’t already do when interacting online. Even before they provide their login credentials, the system constantly authenticates users by comparing their behavior with that of known fraudsters and identifying suspicious activity. The more first-party data collected, the more effective behavioral biometrics are in preventing and detecting fraudulent activity – even when a fraudster is posing as a legitimate customer and has knowledge of the person’s ID, password, account number, and more.
Behavioral biometrics aren't a total replacement for physical biometrics, of course. They won’t replace your phone’s Face ID or fingerprint scanner any time soon. Most often, they’re an excellent complement to existing knowledge-based systems of identity verification. But for organizations sensitive to the collection of facial IDs and other controversial physical biometric data – and that need to better authenticate users to cut down on fraud and scams – first-party behavioral biometrics offer a more privacy-safe alternative to identity verification.