Proctoring Auto-Authentication Is Not Authentication

Reading time:4 mins


The latest twist on virtual proctoring – a service to help online school programs protect against cheating – is “auto-authentication,” a way to take the human observation element out and leave it to computers to ensure identity. The process is designed to be cheaper than human-aided proctoring which is typically expensive – averaging more than $20 a student per test. The problem is, it isn’t authentication. Let us explain.

Proctoring “auto-authentication” works like this. A student usually has to create a profile in advance. Then they log into a checkpoint and face various hurdles to make it into the test:

  • The student shows their ID to a webcam where a picture is taken by the software. This could be anyone
    • Likely no published independent third party for any comparisons on face scans
  • He or she may then answer a challenge question or two, like their city of birth or mother’s maiden name
    • The questions they use may come from the student themselves at initial profile set up = less effective than public based questions
  • They may then be asked to type a paragraph to create a keystroke pattern/biometric
    • No published independent third party testing so false positives/negatives could negate the use of keystroke and let anybody in
  • Students can re-edit their profile anytime without any controls so it could be anyone
  • There might be a videotape running on the webcam for further “assurance.” Faculty supposed to review this?
  • Most have no historical reports to catch cheaters and capture patterns required by Dept. of Education
  • Some claim they use AI and machine learning- Seriously what is the value when they only see the student one time for the exam?

The problem is schools are being sold a feel-good system that students can drive a truck through. It doesn’t qualify as authentication.

Authentication: a system that uses unique physical characteristics to verify identity before entering an electronic system.

Meaning, if you use those unique characteristics for identification, they actually have to be checked.  Verified.

Here’s why “auto-authentication” fails. That critical part of authentication does not happen:

  • There is no comparison of the student’s face picture to a database. It’s just captured information. Nobody is checking the picture. A biometric is always compared to a previous template. Verdict: FAIL
  • Keystroke analysis has been almost completely ineffective with an accuracy rate that is 27X less accurate than gesture/signatures and does not meet NIST % guidelines for biometrics. Verdict: FAIL
  • The use of challenge questions. The latest IRS hacking attack made it publicly known that the criminals were able to successfully answer the challenge questions 50% of the time. Why settle for 50%? Verdict: FAIL
  • Most of these programs ask students to download software onto personal PCs. What if these computers become infected? Verdict: FAIL
  • Video still has to be actually watched by an actual person. The software just captures the video (or small segments). It can’t sit back with popcorn and watch it. Proctoring companies offload this duty onto overloaded staff that simply can’t make it through hours of video. Verdict: GOOD LUCK WITH THAT

But it’s something, right? Here’s how this can be defeated by enterprising students:

  • A ringer uses a fake ID with the right name
  • Test takers can intercept the video feed to project a modified or replaced scene, use pre-recorded video, tape the test material directly behind the computer screen or otherwise simply wear sunglasses
  • Keystroke analysis is not compared to a previous sample; it’s just captured information
  • The facial “recognition” is not compared to a previous sample; it’s just captured information

Why schools should be very, very leery of this:

  • If facial information is hacked, students face a huge risk of identity theft by picture for the rest of their lives
  • Biometric laws are popping up in states with fines of up to $25,000 per violation. What if you lost the information of just 100 students?
  • Auto-authentication companies don’t reveal how they secure this information, how long they keep it, or how it is destroyed
  • Proctoring companies are not security companies
  • Schools STILL have to invest staff time to watch the actual video

So what have you really gained?

  • You’ve taken on liability
  • You’re paying more than ordinary proctoring
  • It doesn’t satisfy the rules of authentication
  • Staff has to watch those videos
  • A premium solution may cost upwards of $32 per student and they’re not fond of you passing on that cost

Is there a deterrent effect?

  • Probably for honest students. But cheaters and frauds will always try to game the system. They’re the ones you have to worry about
  • There are already directions to beat these systems online. Here and here. And here

If you’re looking for auto-authentication, get the real thing. Get a non-invasive biometric. Get an affordable biometric. Check out BioSig-ID. Make students happy. Deliver yourself from risk.