BLOG

Is This the End of Image-based Authentication as a Cybersecurity Solution?

Image-based authentication has gained approval among MFA procedures but is it effective enough when it comes to data security protection and accuracy? Here are some reasons for the limitations image-based identity authentication is showing and the next step in user authentication.

User authentication is present in almost anything we do today in the online world. When accessing our phones or laptops, social media, Netflix, or even our bank accounts, all of them require user authentication processes. Authentication is vital for verifying a user’s identity as it acts as the first line of defense to allow access to valuable data. But when talking about managing big amounts of sensitive info, banks and financial organizations lead the way.

They have implemented measures such as KYC (Know Your Customer) and ALM procedures in order to fight financial crime, fraud, and money laundering but none of them seem to be an effective response against vulnerabilities. Furthermore, image-based authentication has gained approval among multi-factor authentication procedures but it’s starting to raise questions regarding data safety and accuracy, among others. With people going more and more digital, comes a need for more robust solutions that not only secure crucial data but are also user-friendly and trustworthy.

Data protection as a cornerstone

In this Tech-dependent era, data protection is fundamental as we are continuously sharing info online and most of our data has become digitized. Social Security numbers, medical records, credit card numbers, or even basic but still sensitive information such as names, addresses, and birthdates, are shared daily. But despite being able to make purchases, pay bills or even send money from the comfort of our own homes, the truth is that this new reality comes with several challenges such as privacy protection and security threats.

Numbers paint a disturbing scenario. Breaches occurring using compromised credentials had an average cost of USD 4.37 million, says a report featured by the Ponemon Institute. According to Verizon, 61% of breaches involved credentials, and the use of stolen credentials was present in 25% of breaches during 2021. 

And here’s where user authentication makes its entrance. A user authentication process allows users to access their devices or accounts while blocking any unauthorized users from gaining access. User authentication guarantees that a network or application access doesn’t get into the wrong hands. That is why nowadays a race is on to find a secure and efficient form of user authentication as passwords on their own seem not to be the proper response.

Passwords everywhere. But are they safe?

Haven’t you found yourself in situations where you are continuously resetting your passwords? People actually handle dozens of passwords but are still vulnerable to cyberattacks, hacks, or even fraud. According to a study commissioned by NordPass, an average user has 100 Passwords. In addition, this number has actually increased in recent years mainly because of the pandemic, as people sought out new entertainment and services online. 

But passwords have not only become outdated and hard to remember. They are not capable of verifying the user’s identity and the reason that happens is that a password does not really validate the user’s ID, it simply gives access to a device regardless of who is using it. 

Now more than ever, user authentication has not only to do with giving access to a website and app or a laptop as passwords do. It has to do with confirming in a simple way that users are who they say they are. 

Thus, securing the access is not its only goal but also linking a specific user with a certain device or account as it happens in some institutions or financial organizations where authentication acts safeguarding not only accounts but transactions. That is why tech experts are working to provide an authentication system easy to use and capable of providing a safer way to reject attacks and secure data.

Image-based authentication may be the answer to cyber threats?

So with nowadays challenges image-based authentication procedures came out as an attractive solution. This multi-factor authentication system uses images as passwords. The user submits a user ID and an image as credentials to the system and if the image matches with the one stored in the system, the user is authenticated. It could be a selfie check with a valid ID or even a distinctive image the user relates with their own account. 

Multi-factor authentication – AKA MFA – helps improve the security of authentication with additional required factors (not just a password) but what we have been seeing is that not all that glitters is gold. Despite being a multi-factor procedure, image-based authentication has shown not to be as effective as it was intended to be. Here are some of its flaws:

Registration may face problems with accuracy. Even though it is a fact that humans can remember images better than text, an image-based password is not completely secure. First, a selfie could be easily falsified or the system may show failures when matching it to the database, as it happened with the IRS and the controversial use of a private ID verification called ID.me. The company pointed out that the facial recognition technology they were using does one-to-one matching—comparing one face against a picture of that same face (from a driver’s license, for example).

What really happened is that lots of Americans went weeks without receiving their unemployment benefits because the system showed failures and inconsistencies when verifying them. Logging and registering should both be quick and simple since they are everyday tasks. The longer it takes for your users to log in the more annoyed they become. 

Another important issue has to do with privacy. This image- base technology used by ID.me failed to guarantee data privacy as well as transparency. Dealing with biometrical data which is highly sensitive information claims for a technology capable of protecting and preserving the user’s privacy while making login processes easygoing and above all, transparent. 

  • It requires more storage space because of images. Thousands and thousands of pictures have to be stored in a centralized database in case an image-based authentication system is implemented. Another issue has to do with the delay in loading or transfering images. This is more common in recognition-based techniques in which large numbers of images are displayed for each round of verification in the authentication procedure.
  • Can be too predictable. Using Graphical passwords, such as a particular image the user relates to their own account or device ( ex: their pet face), can be really predictable. Many times users choose their passwords based on personal information leading the attacker to guessing passwords by trying these personal data. As Davis, Monrose and Reiter discovered, individuals make predictable choices when having to select images for graphical authentication utilizing facial images. Individuals are usually influenced by attraction, race and familiarity.

Spyware Attack. Spyware is a kind of malware that tracks your device enabling a hacker to obtain sensitive data, such as passwords, from the user’s computer. It works attached to your operating system. This kind of attack uses an application installed on the user’s device to record sensitive data when the mouse is being used, just to set an example.

So image-based tools can´t do much. Numbers regarding this kind of vulnerability are shocking: studies show that 73%of U.S. citizens have fallen prey to spyware attacks in the past. This has cost the global economy nearly $113 billion and affects more than 378 million people annually.

Shoulder surfing. This happens when an unauthorized person is sneaking over the shoulder or recording his login or other information by using, for example, a hidden camera. Usability and security are two important issues when talking about user authentication. These kinds of attacks mostly take place in crowded areas or where people stand behind other.

ATM machines and even laptops or smartphones are common targets of these attacks. For example, while working on your personal device in a café, you may not even notice that the person sitting next to you has a clear view of your screen. Image-based authentication provides access but does nothing against this type of threat and this is now an issue that enterprises and organizations need to focus on. Consumers now seek not only a secure access procedure but also one that is capable of keeping their identity safe. Technology these days should guarantee there’s always the right person behind the device while protecting its digital identity at the same time. This is paramount for this new reality we live in.

So, Is there a simple and effective way to prevent cyber attacks?

Keeping sensitive information secure from attackers and their tactics isn’t an easy task. Threats are continuously evolving in today’s digital world and so, simple authentication methods such as password-based ones don´t accomplish the task. Once a password is stolen, hackers can access credentials to log in not only to a specific application but to business accounts, medical records, and even supply chains, just to mention a few.

Just to set a small example, according to a survey conducted by the UK’s National Cyber Security Center (NCSC), 23.2 million victim accounts worldwide used 123456 as passwords. The danger with this is that just one account being hacked gives intruders access to someone’s entire digital life. Here’s where more complex multi-factor authentication methods appeared as a good solution to fight data leakage, fraud, and abuse, providing an additional layer of protection. 

But not all multi-factor solutions are 100% effective. Haven’t you experienced yourself needing a verification PIN or code that gets to your phone when your battery has just gone dead? Anyone who has come up against this inconvenience of being locked out of their own accounts due to this method of authentication will tell you there’s a need for better solutions that focus on security but without compromising usability. The key to privacy protection has to do with understanding that we can’t give users total responsibility for data control and security. So biometric privacy-first solutions are a great option as they take away the responsibility of data protection from consumers.

Biometrics: Taking MFA one Step Forward

In 2018, IBM conducted a study examining consumer perspectives around digital identity and authentication, which found that people now prioritize security over convenience when logging into applications and devices. Among other things, the investigation showed that 75% of millennials are comfortable using biometrics. 

Customers demand stronger MFA protection against account takeover fraud, and vulnerabilities and the answer is already part of our cybersecurity landscape: Facial biometrics.

Through the combination of facial biometrics and password, users can achieve multi-factor authentication that is robust, truly reliable, and effective against cyber threats.

Facial biometric solutions in the market focus on the deployment of mobile devices, but it is time for computers to get the same treatments and improve protection. As the number one device used for working in every sector, computers are equally vulnerable to threats and their hacking can break businesses down and destroy the customers ́ trust in minutes. Privacy is now an essential factor in brand loyalty and a data breach can make consumers’ trust fade away overnight. As shown in a survey made by Bank of America 30% of consumers said they would never return to a small business that suffered a data breach

The answer to this clear gap in security technology is facial biometrics technology that is device-based (which allows keeping data protected from cloud hacking) and offers user authentication, security, and prevention against cyber threats that are continuous. This means, not only when accessing a device but from beginning to end ( and different from what happens with image-based authentication where verification only takes place at the beginning).

This can only be achieved through video-based authentication such as the one Hummingbirds AI has created with GuacamoleID.This technology is trained-strong and adapted to the harshest environments, making it more accurate than a selfie-and more resistant to any variation in the subjects or their surroundings. This is what allows for continuous face-verification, turning MFA into a robust and easy-to-use technology. This is the future of authentication for enterprises: video-based, privacy-first and continuous protection after login.

Security now ranks as one of the top priorities among users when choosing a brand. It is not just about customer care anymore. People are asking businesses to do more to ensure they’re protecting their personal data. This is more important today than ever before. Organizations need to take the leading role in applying more innovative and transparent solutions that fight cybercrime in all of its forms. Enterprises must provide their consumers with more info on why they’re collecting data and how they plan to protect it.

All this must be done quickly in this changing reality we live in. Spending lots of time on this may put at risk a company’s reputation. We are in front of a new opportunity to build loyalty with customers and this has to do with ensuring a personal sense of trust with them. A trust they have been claiming for a long time and that can only be achieved by combining a real-time detection and protection solution that also ensures a robust and truly reliable MFA without letting aside the user’s identity preservation. Let’s start moving forward.