Are you who you say you are? Effectively answering this question is the purview of authentication, and it is becoming increasingly important as an additional layer of identity proofing and fraud reduction. Biometric authentication — uniquely identifying a person by evaluating one or more distinguishing biological traits — is being driven forward by smartphone adoption rates that include the technology.
Think of a biometric and there’s often a technology for it:
- Hand geometry
- Gait (analysis of how people walk)
- Keyboard dynamics
When considering implementing biometric authentication procedures in your compliance and/or fraud prevention workflow, it’s vital to understand the various trade-offs between security, risk, accuracy, usability and cost. Achieving the level of security required for your particular use case while delivering acceptable performance for the other parameters is now regularly attainable with the current state of technology.
As with any risk-based approach, it’s about determining the level of risk and matching system requirements that are appropriate to that level. The National Institute of Standards and Technology (NIST) Digital Identity Guidelines provide a valuable framework to understand various risk levels. While the use case is for U.S. federal information systems, the “guidelines provide mitigations to the vulnerabilities inherent online.”
Verification, then authentication
It’s important to note that authentication comes after enrollment and identity proofing; to authenticate someone, you must have previously verified the identity of that person.
Authentication connects the user wanting to use the account to the previously verified identity. There are three factors that can determine authentication:
- Something the customer knows (knowledge, such as a password)
- Something the customer has (possession, such as a card or phone)
- Something the customer is (inherence, such as biometrics)
Deploying multi-factor authentication (MFA), where two of the three factors are authenticated, is sufficient to meet the highest NIST security requirements. This criteria concurs with the EU standards for Strong Customer Authentication (SCA). Of course, meeting these security standards presupposes that the factor has enough integrity and confidentiality to uniquely identity the user.
Is the level of assurance provided by the authentication process high enough to meet your risk mitigation requirements? And, from a practical point of view, is the authentication process deployable, usable and cost effective enough to meet business goals?
Practical level of security
In contrast to the military, high value research labs and other highly sensitive locations, many business use cases do not need the most extreme level of security. Yes, they require effective security measures to ensure that the real user of the account is performing the requested actions, but they can’t deploy systems that are onerous and time consuming for users or they risk customer abandonment. They need to balance risk and usability, speed and security.
This is why modern smartphones are a game changer, as they have put powerful biometric technologies into the hands of billions of people. By combining possession of a smartphone (something the customer has) with a biometric (something the customer is), authentication has become scalable for general audience use cases.
Now, if a transaction needs authentication (such as with SCA), a bank can send a notification to a secure app on a customer’s smartphone. If the notification is confirmed, that’s strong confirmation that the customer has both the device and secure access to the app. While password access to the app would also pass the MFA requirement, logging in with a thumbprint or face scan is much quicker and easier for the customer. Seamless security is the goal, and biometric authentication delivers.
Again, though, it’s crucial to ensure that the original identity is properly verified. After all, if a money launderer, fraudster or other bad actor already has an account, authentication provides no deterrent.
Biometrics in the verification process
Fortunately, biometrics can also be used in the identity verification process. Actually, biometrics was the first form of identity verification, as recognizing a face was how people initially “verified” someone. With the introduction of ID documents, comparing the ID photograph with the person was the accepted method of identity verification.
Now, online processes make in-person identity checks unnecessary. ID document verification uses scans of traditional identity documents, such as a driver’s license or passport, to ascertain if the document is authentic, legitimate and hasn’t been forged or altered in any way.
However, even if the document is real, it doesn’t guarantee that it is possessed by the real owner. That’s why analyzing the information on the document — not just the document itself — is an important contributor to overall identity security.
Additionally, biometrics can be integrated into the identity workflow to make a robust, secure and compliant verification process. This is where that most modern of phenomena — the selfie — comes into play. Using the smartphone camera to take a live picture of the user and comparing that selfie to the ID photograph can help weed out even the most sophisticated of fraudsters.
For the user, the experience is straightforward. Take a picture of their ID document, take a selfie and the process is done.
For the company, the entire workflow is automated. Checking the ID document, checking the ID information and checking the selfie are all done on the back end, using sophisticated AI, API and big data technology.
Using state-of-the-art identity verification and biometric authentication technology and processes is a tipping point when it comes to doing business online. Delivering a quick and seamless experience for the user, while delivering compliance and security for the provider, is a combination to deliver more online customers in a manner that satisfies all requirements.