Verification, authentication, recognition: Deciphering biometric terms

Biometric technology can offer consumers convenient, robust security. According to research from YouGov, 52% of consumers across 18 markets use a form of biometric security on some or all of their devices. Venues like stadiums, airports and even U.S. Customs and Border Protection have also adopted biometric security measures. 

With biometric security increasing, terms like verification, authentication and recognition are often used interchangeably and sometimes mistakenly. In fact, they have different definitions and uses, and this confusion often causes privacy concerns. 

Most of those concerns stem from the use of facial biometric recognition to identify people, usually in surveillance scenarios. It is imperative that people understand the difference between face recognition for identification and surveillance and face verification and face authentication for online security that’s intended to keep users safe. 

Online face verification and face authentication are used to prevent fraud, identity theft and other cybercrime. First, the user self-identifies in some other way. Then they use their face to confirm that identification. In such cases, the user is aware that face verification or authentication is happening, they get a direct benefit from it, and their privacy is protected.

By contrast, when face recognition is used to identify a person, they don’t always know it’s happening, they don’t get a direct benefit from it, and privacy is not always protected. 

To better understand the benefits of biometric technology, let’s differentiate the three most-used terms and clear up unnecessary confusion, specifically where it concerns face biometrics.

Face verification

Face verification can enable a live physical person to confirm their identity online in a way that is both highly secure and easy to use. In this process, a user will be aware that this is happening and an active participant, with the benefit of privacy protection. 

Face verification matches their unique biometric characteristic against a trusted document, such as a driver’s license or other government-issued identification. The software that performs this assessment is only looking to match the picture in the document to the human face presented; it doesn’t need to collect a name, let alone any other personal identifiable information (PII) like addresses, financial information or a social security number.

Online face verification is typically used for onboarding an individual when they are enrolling in a new service digitally. It is typically much faster, more convenient and more secure than paper-based, video-call-based, or even in-person interview methods. A 2014 study by Australia’s University of New South Wales showed that even experienced passport control officers allowed imposters to pass in 14% of cases. Modern face-matching technology is hundreds of times more accurate than this, so there is less risk and there are fewer mistakes, yet it can be carried out on citizens’ own phones, at home, and only takes a few seconds.

This can include a high level of privacy — if there is no user benefit in retaining the facial imagery, it can be deleted as soon as all security checks have been completed. Also, normally no human even looks at the user’s face during the process, further enhancing privacy.

The right biometric solution can help prevent fraud — according to a recent report from Arkose Labs, 25% of new account registrations are fake — and other cybercrime without inconveniencing users. The rise of digital injection attacks and deepfakes have created a demand for more robust security measures that can confirm users are who they say they are, establishing trust and security for online applications.

Face authentication

Subsequently, biometric authentication validates a face against the trusted image supplied during the verification process, such as when the individual returns to log in to an existing account.

Like face verification, face authentication provides a user with secure access to an online service. It can, for example, be used in financial applications for transacting large sums of money or other potentially high-risk transactions.

Face authentication can be done with flexibility, enabling different levels of security to be applied according to the risk of the transaction. For example, if a user is authenticating to check a bank balance online, the risk is low and the face authentication process can be unobtrusive and unexacting. But if that user wants to transfer $2,000 out of their account, the face authentication process can be used to reassure the user that the process is truly protected and deliver a very high level of security to mitigate the increasing risk of criminal activity.

Biometric face authentication can be used as part of multifactor authentication (MFA). MFA asks an online user to provide more than one verification “factor” when they want to access a secure service online. For example, a password (“something you know”) might be followed by face authentication (“something you are”). Devices (“something you have”) will increasingly play an important role in these processes. MFA is increasingly essential — the Cybersecurity and Infrastructure Security Agency asserts that MFA “can make you up to 99% less likely to get hacked.” 

Biometric technology is a particularly convenient and secure “factor.” Biometric tech can’t be lost, stolen, or shared in the same way a password or device can be lost, stolen or shared. It can be copied, but modern technology provides powerful and effective tools to spot and block the use of such copies. No one will ever need to reset their face because it will never leave their possession.

Face authentication relies on a stored “biometric template” of the user, usually created during verification for enrollment. It’s a digital description of a face, not an image of the user, and it’s almost impossible to reconstruct the face of the user from it, so it’s great for user privacy.

Face recognition for surveillance

Another term often linked with biometrics is face recognition. This is normally used when biometric technology is used to identify a person rather than confirming the identity they have chosen to assert. In this case, the face recognizer picks the subject’s face out of a huge library of faces with names, such as a watchlist. Unlike in the other two cases, a person typically doesn’t know face recognition is happening when it’s used for surveillance by stores, police departments and schools. You can’t opt out of face recognition for surveillance, and there is no direct personal benefit to you. It raises many issues in addition to privacy, such as questions of civil rights, accuracy and bias.

Where biometric technology is going

Biometrics will become more important for online security as we move towards a passwordless future. Half of data breaches stem from credential abuse, according to Verizon’s 2022 Data Breach Investigations Report. Biometrics can make a dramatic difference in helping organizations to securely verify online user identity, protect accounts from the moment of creation, and then provide secure authentication to prevent account takeover and other fraud, protecting their users and consumers.

Consumers want and need to be protected from the ever-increasing levels of identity theft and other cybercrime. But they don’t want online security to be complex and frustrating or to damage their privacy. Biometric verification and authentication offer security, convenience and privacy. Precision in our use of the different terms involved will be increasingly important to ensure the public gets the full benefit of these technologies while their vital interests in privacy are appropriately protected. 

Andrew Bud, is founder and CEO at iProov.