Biometric Verification and Risk-Based Authentication—A Perfect Match?

Risk-based authentication is a login security framework that dynamically adjusts its requirements based on the calculated risk of each attempt. If the perceived risk is low, the authentication is rather simple (perhaps just a password). But as the risk level increases, the authentication process becomes more stringent​.

Key factors in the risk calculation include:

• Device and network context: The system checks the device and network being used. A login from a trusted device and familiar network (with a known IP address and expected geolocation) is low risk, whereas an attempt from an unfamiliar device or unusual location (e.g., abroad or on a new network) raises red flags​. The time of day can also sometimes be considered—access during an odd hour or from behind an anonymizing proxy might be deemed riskier.

• User behavior and history: Risk-based authentication compares the attempt to the user’s normal behavior profile. Deviations from routine—performing actions that the user doesn’t usually do—will increase the risk score​. If necessary, the system can also factor in the history of previous security issues on the account and the sensitivity of the requested operation.

• Behavioral biometrics: The way a user types, moves the mouse, or swipes on a touchscreen can serve as a biometric signature​. If the cadence or pattern doesn’t match the usual user (e.g., drastically different typing speed), an advanced system may suspect an impostor even if the correct password was used.

• Transaction characteristics: Even after login, RBA can assess risk for specific activities. A high-value or unusual transaction will be flagged as high risk and could trigger an extra authentication step before completion​.

All these inputs are weighted and combined to produce an overall risk score; and based on that score, the system triggers various scenarios. A routine login from a known device might require only a password, but a login with multiple red flags (new device, strange location, multiple failed attempts) would result in a step-up challenge or denial of access.

The integration of biometric verification into RBA seems like a natural evolution—biometrics are tied to the user’s physical presence and are hard to steal or forge.

Biometric verification uses a person’s unique biological traits (like face, fingerprint, or voice) to verify their identity. In an RBA system, biometrics are typically used as a step-up authentication method when a login attempt is deemed high risk​. This means that for most routine, low-risk logins, users will authenticate with something simpler like a password or device token. But if the system’s risk engine flags an attempt, it will additionally prompt the user for a biometric check.

Facial recognition is commonly used on smartphones for user-unlocking, and is increasingly leveraged by web authentication via standards like WebAuthn (using the device’s face unlock). In risk-based authentication, it’s often the go-to for verifying identity in suspicious logins or transactions, because it’s stronger than a PIN yet not too burdensome. It’s also good for remote verification (e.g., digital onboarding or password resets) because nowadays a face can be captured virtually anywhere.

At the same time, face biometrics can be sensitive to the environment, as poor lighting, camera quality, or extreme pose angles can affect performance. There are also privacy concerns; some users are uncomfortable giving face data, perhaps associating it with surveillance. Additionally, the fact that people’s faces are often public (on social media, etc.) means attackers have more to work with for spoofs, which makes robust liveness detection absolutely essential.

Luckily, modern solutions like Regula Face SDK are not only capable of instant facial recognition, but also prevent all types of known presentation attacks such as the use of static face images, printed photos, video replays, video injections, or masks. They can also operate effectively in almost any lighting conditions and are compliant with data privacy laws.

Fingerprints have been used in security for decades and are great for local device unlocking that participates in a broader RBA scheme. For example, if a login is high-risk, the system might push a notification to the user’s phone and require them to scan their fingerprint on the phone to approve. This is also why fingerprints can be used on the PC without needing an actual fingerprint reader.

Modern fingerprint scanners (capacitive or ultrasonic) are fast and small, and are found on billions of smartphones and many laptops, keyboards, door locks, etc. The user experience is seamless, since just a touch on a sensor can log you in without even lighting up the screen in some cases. Fingerprints as a factor are also something users have grown accustomed to for unlocking devices and payment authorizations (Apple Pay, etc.), so user acceptance is high.

There are some considerations still, as dirty or injured fingers can cause false negatives (didn’t read properly), and some people have worn fingerprints (e.g., due to manual labor) making it harder to capture consistently. Interestingly, latent fingerprints can also be lifted from objects a person touches and used to create molds—this is a known attack which Hollywood often exaggerates but is feasible with certain materials.

Voice biometrics excel in banking and customer service scenarios, and they are also being explored for authenticating in IoT contexts (e.g., logging in to your car by voice). In risk-based authentication, voice might be used when other factors aren’t available; for instance, if a user calls support, the system may do a voice verification since it can’t perform a face or fingerprint check over the phone. For web/mobile logins, voice is less commonly used as the primary step-up, but it still could be offered as an alternative for accessibility or if camera/fingerprint are not options.

The main advantage of voice authentication is that it can be done with just a microphone, which every phone and many computers have. The voice is also a biometric that can be verified passively during a conversation, meaning it can be very non-intrusive. However, voices can vary more than fingerprints or faces due to health issues (a person with a cold might not match their normal voiceprint well). Background noise and call quality can also heavily impact accuracy, which contributes to slightly higher error rates than fingerprints or faces historically.

Additionally, the voice recognition systems of today must be advanced enough to fight off replay attacks and AI clones alike. Outside of a live conversation setting, a replay attack can be countered by a random challenge; but as for AI attacks, many systems have shown to be vulnerable at times.

There are a number of other methods that are worth mentioning, although they’re not nearly as common. They are suboptimal for general authentication due to their hardware needs, but in high-security or high-throughput environments they might be part of an RBA strategy, if necessary.

For example, iris scanning is extremely accurate and is often used in border control (e.g., immigration kiosks). It’s a bit more cumbersome, as it requires an IR camera close to the eye, but offers one of the lowest false match rates of any biometric.

Retina scans (scanning blood vessels at the back of the eye) are even more intrusive and rare outside of the military.

Palm vein scanning (infrared vein pattern in one’s hand) is also used in some products and by some businesses because it’s very secure and still contactless.

As biometric verification gets more traction, attackers respond with more sophisticated tactics to fool it. Let’s now outline the major threats and biometric authentication systems and how they impact RBA deployments:

Attackers can use a number of spoofing techniques to trick biometric systems: 

• High-res displays and video loops: An attacker who somehow gets a video of the target might use a high-resolution tablet to play it and face it toward the camera. Sometimes, they may even loop a blinking sequence to try to beat simple liveness checks. 

• 3D masks and prosthetics: On the more physical side, there have been demonstrations of hyper-realistic masks (printed in 3D from a person’s image) that can fool systems that lack depth detection. AI can aid here by generating 3D face models from 2D photos, which can then be 3D-printed. These mask attacks are not common due to the expense and the need for physical presence, but in targeted attacks, one can’t rule it out.

• Voice replay and cloning: For voice recognition, simply replaying a recorded voice clip of the victim can sometimes work if the system doesn’t use a challenge-response mechanism. Attackers can compile voice samples of a target (from YouTube, voicemail, etc.) and use AI voice cloning services to synthesize responses in the target’s voice.

Perhaps the most disruptive threat is the rise of AI-generated deepfakes—realistic fake images, videos, or voice recordings of a target individual, created to impersonate them during a biometric check. If a deepfake fools an authentication system, the attacker can log in as the victim without ever having met them or stolen any physical factor. Deepfakes also present a challenge in that they can be attempted remotely at scale—an attacker could keep trying different AI-generated variants to see what sticks.

In response to that, many biometric vendors like Regula are implementing deepfake detection into their products. Additionally, secondary confirmation can help; for very sensitive actions, some institutions may want a human in the loop (e.g., a video call with an agent) if anything looks off. 

But from an RBA perspective, the system might treat the mere possibility of a deepfake as a risk factor. For example, if the facial recognition confidence is normally 99%, but in a login it drops to 80% and the system suspects something odd about the image, it can deny access or require an alternative factor. Some banks have also started incorporating document liveness authentication alongside face biometrics, where the user must show a live ID document as well.

Your ID verification process can greatly benefit from robust software solutions that make it not only secure, but also user-friendly and compliant. For instance, face biometrics with liveness checks can be carried out by solutions like Regula Face SDK.

Our cross-platform biometric verification solution features:

• Integration with existing systems: The SDK integrates with a wide range of physical devices and mobile apps to seamlessly fit into your environment.

• Advanced facial recognition with liveness detection: The SDK uses precise facial recognition algorithms with active liveness detection to verify users, preventing spoofing through photos or videos.

• 1:1 face matching: This matches a user’s live facial image to their ID or database entry, verifying identity at a 1:1 level.

• 1:N face recognition: This scans and compares the user’s facial data against a database, identifying them from multiple entries at once (1:N).

• Face attribute evaluation: This assesses key facial attributes like age, expression, and accessories to improve accuracy and security during identity verification.

• Adaptability to various lighting conditions: Operates effectively in almost any ambient light.

• Multilingual support: Available in over 30 languages for easy localization.