- Security TWENTY
- Women in Security
The level of anonymity that the internet affords individuals is presenting an ever greater challenge to regulators, businesses and even consumers, who are increasingly becoming the target for trolling, cybercrime and identity theft. The fact is that on the Internet, nobody knows you’re a dog. And that’s exactly how criminals like it, writes Zac Cohen, pictured, COO, Trulioo, a document and personal verification product company.
The only way to tackle this is through greater transparency, with an increasing focus on identity verification. Both businesses and consumers need to be confident that the people they are communicating and transacting with online are exactly who they say they are – and not dogs, other animals or, more importantly, cybercriminals. This is true across the board – from social media networks and online marketplaces, through to online banking apps and gaming platforms.
In a dynamic online environment, identity verification needs to work quickly and seamlessly across multiple channels, and fit in with a world-class digital experience. Thankfully, we’re seeing identity verification strategies and technologies are evolving at pace, in line with changing consumer behaviour.
This is why biometric authentication is becoming a critical element of identity verification. It is able to uniquely identify a person by evaluating one or more distinguishing biological traits. And it is a move that is being driven by one mass market vessel – the smartphone. Data from Statista suggests that there are 3.2 billion smartphone users worldwide, which puts global smartphone penetration at around 41.5%.
While verifying a new customer during the account creation process is a mandate, businesses also need to provide a quick and intuitive experience. Consumers are increasingly intolerant of poor online account opening processes and organisations risk losing customers and revenue if they don’t get it right. However,brands that can deliver smooth, seamless and secure account creation are set up for long and fruitful relationships with customers.
Little wonder then that the selfie is coming to the fore as a simple and quick way for consumers to be able to verify the authenticity of the identity documents they have submitted. Taking selfies has become second nature to us – in fact, it is predicted that the average millennial will take 25,000 selfies during their lifetime.
Point, click, verify
Late last year it was reported that Facebook is working on facial-recognition software that would verify the identities of users trying to access the app. Just under a year ago, NatWest became the first major high street bank to enable customers to open an account with a selfie. The move eliminated the need to go into a branch, put identity documents in the post, or wait a day or two for the account-opening process to be completed. Instead, the customer uploads a selfie and photo ID such as a passport to verify who they are. Fast forward to today and it’s much more common. As an example, Monzo asks its customers to submit a short video of themselves saying “Hi, my name is [your name], and I want a Monzo account.”
Earlier this month, the Financial Conduct Authority in the UK actually advised banks to accept a selfie as a form of ID as one of the measures to help firms protect their customers during the coronavirus pandemic.
Verification, then authentication
When considering biometric-based authentication methods for compliance or fraud prevention, it’s vital to understand the various trade-offs between security, risk, accuracy, usability and cost. Achieving the level of security required for a particular use case while delivering acceptable performance for the other parameters is now regularly attainable with the current state of technology. As with any risk-based approach, it’s about determining the level of risk and matching system requirements that are appropriate to that level.
It’s also important to note that authentication comes after enrollment and identity proofing; to authenticate someone, you must have previously verified the identity of that individual, to make sure that you are dealing with a real person. There are three factors that can determine authentication which are all relatively common; something the customer knows (knowledge, such as a PIN or password), something the customer has (possession, such as an identity document or a smartphone) and something the customer is (inherence, such as biometrics).
Deploying multi-factor authentication (MFA), where two of the three factors are authenticated, is sufficient to meet the highest NIST security requirements. This criteria concurs with the EU standards for Strong Customer Authentication (SCA). Of course, meeting these security standards presupposes that the factor has enough integrity and confidentiality to uniquely identify the user.
Selfies in the verification process
Fortunately, biometrics can also be used in the identity verification process. Businesses can authenticate the identity document submitted by the individual by comparing the photograph on the document with a separate picture (selfie) of the person. The person matches the identity and therefore they must be the owner of this document. As the banks cited can testify to, online processes make in-person identity checks unnecessary.
Biometrics can be integrated into the identity workflow to make a robust, secure and compliant verification process. This is where and why that most modern of phenomena — the selfie — is coming into play. Using the smartphone camera to take a live picture of the user and comparing that selfie to the ID photograph can help weed out even the most sophisticated of fraudsters. For the user, the experience is straightforward.
Take a picture of their ID document, take a selfie and the process is done.
While some business use cases do not require the most extreme level of security, they all must have effective security measures to ensure that the real user of the account is performing the requested actions. However, it becomes inoperable if businesses deploy systems that are onerous and time consuming for users or risk customer abandonment. There has to be balance between risk and usability, speed and security.
This is why modern smartphones are a game changer, as they have put powerful biometric technologies into the hands of billions of people. By combining possession of a smartphone (something the customer has) with a biometric (something the customer is), authentication has become scalable for general audience use cases.
If a transaction needs authentication (such as with SCA), a bank can send a notification to a secure app on a customer’s smartphone. If the notification is confirmed, that’s strong confirmation that the customer has both the device and secure access to the app. While password access to the app would also pass the MFA requirement, logging in with a thumbprint or face scan is much quicker and easier for the customer. Seamless security is the goal, and biometric authentication delivers. However, it’s crucial to ensure that the original identity is properly verified, matched against a wide range of robust identity data sources. After all, if a money launderer, fraudster or other bad actor already has an account, authentication provides no deterrent.
And this is why selfies are becoming so much more common for identity authentication. They offer another layer of security and assurance that is unique to each individual and when combined with other forms of ID is immensely secure. If we think the power of the selfie has been demonstrated on platforms like Instagram, it’s nothing to how influential it is going to be in the field of ID verification…. But without the filters.