Throughout this guide, we have delved into what digital identity is and how it can be used to assess and authenticate identity online. But, clearly there are other forms of authentication that also go beyond static credentials.
In this chapter, we will explore biometric authentication and discuss how digital identity is typically layered on top of it to deliver an optimal digital experience.
If we look at identity verification as “something you know, something you have, or something you are,” static authentication with a user id and password (or challenge questions used for step-up) falls into the first category.
A device potentially with a cookie or token falls into the second category. It’s something the user possesses that is used as a proxy to identify the individual.
Fingerprint scanning is the digital version of the ink-and-paper fingerprinting process, and relies on the unique details inherent in the papillary ridges on the ends of fingers and thumbs.
Biometrics fits into the last “something you are” category. Fingerprint scanning is among the most commonly used biometric technology, but facial recognition systems are rapidly gaining in popularity, particularly with the introduction of the latest mobile devices. Other biometric technologies include retina scans, iris recognition, finger vein ID and voice identification systems.
Because they are generally easier than entering passwords and reasonably reliable, these kinds of biometrics have already found their way into banking and payment apps on mobile devices.
We will focus on device-side biometrics implementations here that are widely rolled out on consumer devices by major device makers and supported by mobile OS vendors. Server-side biometrics are most commonly used by nation-states for border control and are not attractive for commercial use because of potential privacy considerations.
Generally speaking, biometrics recognize individuals based on physical characteristics. A device measures physical attributes and converts the measurements to digital information. It then compares that information to reference data captured at some previous point in time, which is stored locally on the user’s device. A probabilistic score then determines if a suitable match exists. But, like all probabilistic matches, the technology is not perfect and presents some challenges.
Most manufacturers of biometric devices recognize their technology is not foolproof. There are even reports where inexpensive 3-D masks have been used to spoof facial recognition systems. This is not something most people need to worry about, however.
What presents more of a security and fraud challenge is when biometric recognition fails or when malware is present on the device or in an app.
Facial recognition systems work with numeric codes called faceprints, which identify at least 80 nodal points on a human face.
When biometric recognition fails, the default authentication mechanism often reverts back to a static passcode or password. When this happens, we are back to the familiar issues we’ve discussed throughout this guide around static identifiers.
Even more troublesome, however, are the instances where malware has compromised a device or application, and the user’s authenticated session becomes vulnerable to hacking and snooping.
For organizations deploying biometrics, the question then becomes two-fold. 1) How do we mitigate the limitations and vulnerabilities implicit in biometric authentication? 2) How do we use biometrics to deliver an optimal digital experience?
By layering digital identity on top of biometric authentication, we can address both of these issues.
As we know from Chapter 7 (Real-Time Threat Detection), digital identity detects apps that have been compromised by malware as well as devices that are vulnerable because device security has been bypassed (for example, through device rooting). This approach also enables dynamic risk-based authentication when biometrics fail. But, digital identity can go a lot further.
When digital identity uses cryptographically backed integration with biometric authentication, a customer’s device can be bound to their identity. When this happens, the device becomes a very strong authenticator and can be used for strong customer authentication, as required by PSD2 (the directive from the European Union) and other open banking initiatives that support the secure exchange of digital data. There are standard protocols for this type of integration, and they are published by the Fast Identity Online (FIDO) Alliance.
According to Goode Intelligence, 3.4 billion users will have biometric authentication features on their mobile devices by 2018.
The FIDO Alliance allows for a standards-based way to deliver strong authentication. The protocols allow for the use of any authentication mechanism, ranging from tokens to biometrics. For biometrics, it permits biometric gestures on the device to be bound to cryptographic keys that, with a single implementation, can provide a “what you have and who you are”-type of assurance.
These capabilities can provide strong and simple authentication without any privacy or ease-of-use concerns at low costs on consumer-grade smartphones and PCs. These implementations can effectively prevent scalable attacks and can also defeat targeted attacks with additional measures and by working with digital identity assessment.
Beyond point-in-time identity assessment, digital identity also plays a critical role in helping companies progressively eliminate fraud from the business. Here’s how.
In practice, we know from global digital identity implementations that, on average, about 92 percent of online transactions are made by legitimate users. Digital identity makes it possible for these individuals to proceed smoothly through their transaction to service their needs securely and efficiently.
By the same measure, we know that, in practice, an average of around 2 percent of transactions are from confirmed fraudsters. There’s no business benefit in servicing these users, who represent an overall drag on the business.
It’s the remaining 6 percent of transactions, on average, that are questionable, and these soak up a disproportionate volume of resources and overhead in manual reviews. It’s relatively easy to block these users with basic rules. But this can and often does provide an alienating experience for legitimate users caught up in review simply because, for example, they are in an unfamiliar location or using a new handset.
As an enterprise platform, digital identity gives organizations a dynamic way to improve their fraud management over time and gain a better understanding of these questionable transactions.
Digital identity provides fraud managers forensic tools and supports investigative workloads, enabling already sophisticated rule sets to more accurately discern good from bad users over time. Using machine learning, questionable transactions can be isolated at scale. Rule variations can be tested and run side-by-side with rule sets that are in production. This challenger-champion model progressively refines identity assessment and authentication to be more refined and acute over time.
As a result, more legitimate users flow straight through their processes with little to no interruptions while fraudsters get stopped and ultimately turn their focus to other less protected and more vulnerable targets.
Biometric authentication clearly offers convenience that some people prefer over passwords. But the technology is still evolving and is by no means a silver bullet to authentication. However, when used in conjunction with digital identity in a layered approach, it can be an effective part of a cognitive, always-on method of authentication that helps drive profitable growth and deliver an elegant digital experience.
Next up: Synthetic ID