In the world of digital identity, there are two distinct realms — the realm of identity proofing and the realm of authentication. These realms have been separate and distinct for decades.
Companies have used a variety of identity proofing techniques to remotely establish the identities of users by requiring them to visit a local branch office in person and provide proof of address and identity. But, as more people use the internet and apps on their computers, tablets and smartphones to access banking services, financial institutions and modern enterprises are increasingly exploring online ways to “identity proof” new customers without requiring an in-person visit.
Identity Proofing Methods
Sometimes they perform searches against online financial databases and credit bureaus for an identity match based on the customer’s name, address and Social Security number. In other cases, they may use knowledge-based verification which asks the user several proofing multiple-choice questions such as “Which of the of the following ZIP codes have you resided in during the last five years?” The response to such questions is then corroborated against public records databases.
Thanks to recent, widespread data breaches, these methods are quickly falling out of favor since cybercriminals can easily purchase this information on the dark web or find the details on social media. More recently, enterprises are requiring online customers to take a picture of their government-issued ID and a selfie using their smartphone or computer’s webcam. If the ID is legitimate, the picture on the ID is then compared to the selfie to ensure that it’s the same person.
Why KYC Isn’t Enough
A Guide to Fighting Fraud and Financial Crime from Onboarding to Ongoing Monitoring
But, these same businesses then rely on a different set of authentication technologies to verify that the person behind a transaction is the same person that created the online account. It’s in these situations, when the business needs more than just a username and password — they need higher levels of online assurance to make sure that the user is who they claim to be.
These authentication methods (sometimes referred to as step-up authentication) are triggered based on risk factors, including:
- Logging in from a foreign IP address
- Password resets (in light of account takeovers)
- Large money or wire transfers
- Multiple unsuccessful logins
- Requested change on authorized permissions
- Continuous security (car rentals, online test taking, authenticating drivers of ride-sharing and delivery services)
For these types of transactions, companies use technologies like knowledge-based authentication, token-based authentication, out-of-band authentication (e.g. SMS-based two-factor authentication) and biometric authentication.
A Lack of Overlap
As you can see, there’s very little overlap between these sets of technologies
This is unfortunate.
Traditional forms of online authentication suffer on a number of fronts.
Password-Based Logins: Amongst today’s methods of authentication, the old-fashioned technique which requires a username and password remains the most popular means of accessing email, social, banking and other online accounts.
Weakness: Passwords are inherently insecure, easily forgotten, and too often shared across websites. They’re also routinely dumped on the dark web whenever there’s a large-scale data breach where they can be bought and sold for pennies by cybercriminals.
Knowledge-based Authentication (KBA): KBA verifies customers by asking them to answer specific security questions in order to provide accurate authorization for online or digital activities.
Weakness: Thanks to large-scale data breaches (e.g., Equifax, Facebook and Marriott/Starwood), the answers to these questions, in many cases, is available for sale on the dark web.
Out-of-Band Authentication: Out-of-band authentication is a term for a process where authentication requires two different signals from two different networks or channels. SMS-based two-factor authentication (2FA) is among the most popular methods in this category.
Token-Based Authentication: Tokens authenticate users on the basis that only the token assigned to the user could have generated the pseudo-random number or code response keyed in by the user. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA or mobile phone.
Weakness: Physical tokens carry additional costs, such as the cost of the token and any replacement fees and users always need to carry the token with them. Software tokens have their share of weaknesses: these one-time passwords are non-transferable, which can be problematic if a phone is lost, stolen or replaced.
Biometric Authentication: Biometric authentication is a security process that relies on the unique biological characteristics of an individual to verify that he is who he says he is. Biometric authentication systems compare biometric data captured at the time of login to confirmed authentic data stored in a database. By 2022, Gartner, Inc. predicts that 70% of organisations using biometric authentication for workforce access will implement it via smartphone apps, regardless of the endpoint device being used. In 2018, the figure was fewer than 5%.
Weakness: Cybercriminals are increasingly using spoofing attacks by using a photo, video or a different substitute for an authorized person’s face to acquire someone else’s privileges or access rights. That’s why certified liveness detection is so vital for modern biometric-based authentication solutions.
A New Paradigm for Identity Proofing & Authentication
There is a new approach being pioneered by Jumio that bridges the realms of identity proofing and authentication. This new approach starts with identity proofing where the user captures their government-issued ID and a selfie, which are then compared to each other to deliver a definitive “match” or “no match” decision. As part of the identity proofing process, certified liveness detection captures biometric data through a smartphone’s front-facing selfie camera or your computer’s webcam. Jumio creates a 3D face map of the user, which is then stored and bound to the new customer during the initial enrollment process.
Now, let’s assume authentication is now required for account access. Instead of relying on one of the aforementioned authentication methods, the user only needs to capture a new selfie.
Because a complete face map was captured when the account was created, the user just needs to take a fresh video selfie (one close up and one a little further away). This new face map is then compared to the original 3D face map captured during enrollment and a match/no match decision is made. This authentication process takes just seconds to complete, and the user does not need to be subjected to the entire identity proofing process — they just need to take a fresh selfie. That’s it.
Unlocking Digital Identity
This new combination of biometric-based identity proofing and authentication enables online businesses to authenticate users for regular logins, high-risk transactions and for a variety of emerging use cases. For example, rental car companies who have already verified their customers can now let these customers unlock the car door of their reserved vehicle with just a selfie (new 3D face map). Hotel guests could bypass long check-in lines, proceed directly to their assigned room and unlock their door just by taking a selfie. Think about sharing economy companies, such as Uber or Lyft, who may want to continuously verify their drivers to ensure that the person behind the wheel is, in fact, the same driver originally vetted with a background check.
It just makes sense to repurpose the same biometric data captured during the initial enrollment/registration process for ongoing authentication.
Looking to learn more? Check out our new Jumio Authentication 2-Minute Explainer Video.