Thanks to the dark web and account takeover fraud, authenticating the identity of users presents an ever-evolving challenge.
On one side of the authentication challenge are users who demand speed and convenience and don’t want to have to remember numerous passwords or make their way through a complex login or verification process every time they access an app or site. But, on the other hand, security requirements are quickly evolving to demand a rigorous approach to authentication.
Traditional methods of authentication such as the good ol’ username and password, knowledge-based authentication and SMS-based two-factor authentication have fallen out of favor due to a variety of security vulnerabilities ranging from account takeover to phishing to social engineering. Consequently, IT departments are exploring more robust authentication systems that mitigate the potential for theft and fraud.
The technology research firm, Gartner, defines user authentication as “the real-time corroboration (with an implied or notional confidence or level of trust) of a person’s claim to an identity previously established to enable their access to an electronic or digital asset.” Put simply, authentication is the process of determining whether someone or something is, in fact, who or what it declares itself to be.
After the customer has been vetted via a remote identity proofing methodology, that same customer usually does not need to go through the process again. Instead the customer can now use credentials (i.e., username and password) that were set up during the account opening to access the account or perform certain actions. The verification of those credentials is what we call authentication.
Traditional Authentication Methods
Since the fraud landscape is evolving quickly, network administrators are facing plenty of challenges and have had to start implementing more sophisticated ways of authenticating users. Below we discuss common authentication methods used for network security designed to beat the savvy cybercriminals.
Amongst today’s methods of authentication, the old-fashioned technique which requires a username and password remains the prevailing measure of securing computers, email accounts or online transactions.
Unfortunately, passwords are inherently insecure thanks to the dark web, social engineering and phishing scams. Plus, passwords are often forgotten and shared across multiple online accounts which magnifies the risk of account takeover.
KBA is based on a shared secret which is usually provided when the account is created and then presented in a future challenge/response authentication session on demand. We’re all pretty familiar with questions like: “What is your mother’s maiden name?”
Thanks to the dark web and social media, the answers to these supposed “secret” questions can easily be discovered with a minimal level of effort by a determined fraudster who can then use that information to impersonate an individual.
A token makes it more difficult for a hacker to access an account since they must have the account credentials and the tangible device itself, which is much harder for a hacker to obtain. Physical tokens can take many forms: a dongle, card, key fob or RFID chip.
Because of some of the usability challenges with hardware-based tokens, software tokens have become more popular and have been incorporated into smartphones (usually in the form of an app) or stored on a general-purpose electronic device such as a desktop computer or laptop.
Out-of-band authentication is a term for a process where authentication requires two different signals from two different networks or channels. SMS-based out-of-band authentication is among the most popular methods in this category. With this type of authentication, a one-time security text or password is sent by SMS (text message) to the user.
While this out-of-band technique is more secure than simple password authentication it is no longer recommended by NIST because of several vulnerabilities, including being susceptible to man-in-the-middle and snooping attacks.
The Rise of Biometric Authentication
Biometric authentication is a security process that relies on the unique biological characteristics of an individual to verify that he is who he says he is. Biometric authentication technology compares a biometric data capture to stored, confirmed authentic data in a database.
Biometric authentication works by comparing two sets of data: the first one is preset by the owner of the device, while the second one belongs to a device visitor. The important thing to note is that the match between the two data sets has to be nearly identical but not exactly identical. This is because it’s close to impossible for biometric information to match 100 percent.
Juniper Research forecasts that biometric authentication will increase from an estimated 429 million in 2018 to over 1.5 billion in 2023. (source: Mobile Payment Security: Biometric Authentication & Tokenisation 2018-2023).
See how Jumio streamlines biometric authentication here:
How Facial Authentication Works
There are several methods of biometric authentication, including fingerprint scanning, voice recognition and behavioral characteristics, but for the purposes of illustration, let’s focus on facial biometric authentication as it’s one of the fastest and most popular forms being used today.
Because biometric-based authentication requires some type of reference data to compare against, the process starts before the online account is even created — it starts when the user is applying for an online account. Below we will outline the basic steps involved with face-based authentication as this biometric has emerged as one of its more popular forms.
Step 1: ID Document Capture
The process starts with the new user taking a picture of his or her government-issued ID (e.g., driver’s license, passport, etc.) with their smartphone or webcam. The ID is inspected via AI, machine learning, computer vision and human review to determine if the ID is fraudulent or authentic.
Step 2: Selfie Capture
The user is then asked to take a corroborating selfie which is then compared to the picture on the ID document to ensure that the person is who they claim to be (and not using a stolen ID).
Step 3: 3D Face Map Created
During the selfie capture process, better solutions will include a liveness check to ensure that the online user is physically present and not a spoof. 3D face-mapping contains 100 times more data points than a 2D photo, and is required to accurately recognize the correct user’s face while concurrently verifying their human liveness. This 3D face map is then stored and bound to the new customer during the initial enrollment process.
Step 4: Online Account Created
Assuming all of these various checks pan out, plus any additional background checks performed, the vetted user will then be given account credentials, which historically has been a username and password.
Step 5: Ongoing User Authentication
When the user wants to log into their account, the user only needs to capture a new selfie. Because a complete face map was captured at enrollment, the user just needs to take a fresh selfie (one close up and one a little further away). A new face map is then compared to the original 3D face map captured during enrollment and a match/no match decision is made. This authentication process takes just seconds to complete.
The Advantages of Biometric Authentication
Biometric authentication enables online businesses to reliably authenticate users for regular logins, high-risk transactions and for a variety of emerging use cases. And most importantly, it helps nullify the risk of ATO since it does not rely on a username and password, which could have easily been stolen.
Biometric, face-based authentication has a number of inherent advantages over the traditional methods of authentication:
How certain are you that the person behind the account set-up and login is who they claim to be? Many of the traditional methods of authentication (e.g, KBA, SMS-based 2FA) don’t really provide much identity assurance. Thanks to large-scale data breaches and identity theft, businesses can’t trust that someone is who they claim to be, even if they have their mailing address or possess the correct Social Security number.
Face-based biometric authentication is not only far more convenient for consumers than traditional methods of online verification, but it is also much more secure. The biometric data cannot be hacked or duplicated. The data can be kept on the device, rather than on a server or in the cloud, and can remain secure even if the device is stolen. Just as important, facial biometrics offers a simple one-step solution to the problem of remembering a vast array of PIN codes and passwords.
Ease of Use
Given our collective obsession with our smartphones, it’s not surprising that face-based biometrics are becoming the most popular method of authentication thanks in large part to Apple’s Face ID. Face ID is now the sole means of biometric authentication on Apple’s iPhones, and it looks like the company will stick with this system for the foreseeable future. All of Apple’s new mobile devices have abandoned Touch ID fingerprint authentication in favor of Face ID, an infrared, 3D face recognition system.
Biometric authentication also offer superior fraud detection because it relies on biometric data that is unique to an individual. Face-based biometrics offers the added benefit of requiring the user to capture a picture of themselves which has a chilling effect on fraudsters who generally prefer not to share their own likeness with the company they’re looking to defraud.
Companies that are adopting biometric authentication — and their numbers are growing — are providing stronger authentication and helping make security invisible to their customers, resulting in higher conversion rates, higher rates of fraud detection and higher customer satisfaction.
“By 2023, identity corroboration hubs will displace existing authentication platforms in over 50% of large and global enterprises.” – Gartner
Emerging Use Cases of Biometric Authentication
By adopting biometric authentication, organizations can realize new benefits and capitalize on new use cases that go well authenticating users for suspicious logins.
- Secondary authentication: Instead of (or in addition to) using username and password, organizations can use the selfie as a second authentication factor.
- Authorize high-risk actions: Authenticates users prior to high-value transactions like wire transfers, online purchases or bill pay. By requiring a selfie, financial institutions and their online customers can rest assured that the request is legitimate and has been authorized.
- Unlock doors: An end-user has made a car rental reservation, and the customer is requesting an authentication to unlock the car.
- Self check-in: The end-user can use his or her face for self check-in at hotels or to check in for a flight, eliminating the need to wait in long lines.
- Update user credentials: Every use case in which authentication is required — logins, forgot/reset passwords, update user credentials, etc.
- Continuous Security: Regular authentication requested from the end user, for instance to ensure no account takeover happened.
- E-learning: Universities, e-learning providers and proctoring services often need a reliable solution to assure a student who wants to take an exam is really the individual who is expected to attend to that test. The end user is requested to authenticate before and even during the exam.
The Death of Passwords?
It has been clear for a while now that passwords no longer provide the user experience or security needed for consumers today. With every new data breach reported, more of our login credentials are seeping into the dark web, where they can be purchased by cybercriminals for the purposes of identity theft and account takeover.
At the same time, more and more consumers are using their mobile devices to create new online accounts and accessing those accounts and online services on the go. Given these parallel trends, it’s not surprising that biometrics is slowly starting to take the place of traditional passwords and PINs, with Apple’s Face ID paving the way. Facial recognition technology from Apple and Samsung is prompting other manufacturers to include this biometric technology in their devices. Estimates by Counterpoint Research suggest that more than one billion smartphones will have some form of a face unlock solution in 2020.
While we may be a few years away from killing the password, we’re starting to see the increased adoption of face-based authentication as a dominant way of opening our mobile devices. With biometric authentication, consumers can have greater trust that their online accounts are protected against account takeover and online fraud.
At the same time, modern businesses can better protect their ecosystems from bots, malware and cybercriminals. Businesses can also ensure that their users have been vetted and that high-risk transactions (e.g., password resets, wire transfers, etc.) have built-in safeguards.
As more of our important interactions move online, establishing trust digitally has become critical. Jumio is pioneering selfie-based authentication to allow businesses to leverage biometric user data captured during enrolment and re-verify that data in the future. With our new selfie-based authentication, users are not required to repeat the identity proofing process again — they just take a quick selfie — and as the digital chain of trust grows, so does the security level.
The role of biometric authentication is expanding because it provides higher levels of identity assurance, improves the customer experience and conversion rates, and better protects online accounts from identity theft and account takeover.