Throughout this guide, we have delved into what digital identity is and how it can be used to assess and authenticate identity online. But clearly, there are other forms of authentication that also go beyond static credentials.
In this chapter, we will explore biometric authentication and discuss how it can be integrated with digital identity to deliver an optimal and secure digital experience.
If we look at identity verification as “something you know, something you have, or something you are,” static authentication with a user ID and password (or challenge questions used for step-ups) falls into the first category.
A device with a cookie or token falls into the second category. It’s something the user possesses that is used as a proxy to identify the individual.
Fingerprint scanning is the digital version of the ink-and-paper fingerprinting process and relies on the unique details inherent in the papillary ridges on the ends of fingers and thumbs.
Biometrics fits into the “something you are” category. Fingerprint scanning is among the most commonly used biometric technologies, and facial recognition systems are rapidly gaining in popularity as well, particularly with the introduction of the latest generation of mobile devices. Other biometric technologies include retina scans, iris recognition, finger vein ID and voice identification systems.
Because they are generally easier than entering passwords and are reasonably reliable, these kinds of biometrics have been leveraged by banking and payment apps on mobile devices.
For the purposes of this discussion, we will focus on the kinds of device-side biometrics that are widely rolled out on consumer devices by major manufacturers and supported by mobile OS vendors. In contrast, server-side biometrics are most commonly used for national border security and are not attractive for commercial use because of potential privacy concerns.
Generally speaking, device-side biometrics recognize individuals based on physical characteristics. A device measures physical attributes and converts the measurements to digital information. It then compares that information to reference data captured at some previous point in time, which is stored locally on the user’s device. A probabilistic score then determines if a suitable match exists. But, like all probabilistic matches, the technology is not perfect and presents some challenges.
Most manufacturers of biometric devices recognize the technology is not foolproof. There are even reports where inexpensive 3-D masks have been used to successfully spoof facial recognition systems. While this is something most people do not need to worry about, it’s important to reiterate that biometrics don’t verify that the physical characteristic belongs to an authorized user. Biometric authentication simply establishes whether there is a viable match between a current and a previous capture, again at the device level.
If for example, a cybercriminal compromises an account and uses a new phone to establish a biometric login, the device recognizes that individual as an authorized user.
As problematic as this is, what presents an even more pressing security and fraud challenge is when biometric recognition fails, or when malware is present on the device or in an app.
Facial recognition systems work with numeric codes called faceprints, which identify at least 80 nodal points on a human face.
When biometric recognition fails, the default authentication mechanism often reverts back to a static passcode or password as a prerequisite for login. When this happens, we are back to the same issues associated with static identifiers and account credentials that we’ve discussed throughout this guide.
Even more troublesome, however, are instances when malware has compromised a device or application, and the user’s authenticated session becomes vulnerable to hacking and snooping.
For organizations deploying biometrics, the question then becomes two-fold. 1) How do we mitigate the limitations and vulnerabilities implicit in biometric authentication? 2) How do we use biometrics securely to deliver an optimal digital experience?
By layering digital identity atop biometric authentication, it is possible to address both of these challenges effectively.
As we know from Chapter 7 (Real-Time Threat Detection), digital identity detects apps that have been compromised by malware, as well as devices that are vulnerable because device security has been bypassed (for example, through device rooting).
In Chapter 3 (Digital DNA), we also introduced the digital identity graph that maps associations between people, locations, devices, behaviors and threats. Using the graph, digital identity can depict relationships such as multiple biometrics associated with a single identity. It can also recognize devices without placing cookies, enabling inferences about the trustworthiness of an identity based on its associations—or its lack thereof. But, digital identity can go a lot further than detecting threats and device-level anomalies.
When digital identity uses cryptographically-backed integration with biometric authentication, a customer’s device can be bound to their identity. When this happens, the device becomes a very strong authenticator and can be used for strong customer authentication, like the kind required by PSD2 (the directive from the European Union) and other open banking initiatives that support the secure exchange of digital data. There are standard protocols for this type of integration, and they are published by the Fast Identity Online (FIDO) Alliance.
According to Goode Intelligence, 3.4 billion users will have biometric authentication features on their mobile devices by 2018.
These protocols allow for the standardized use of a range of authentication mechanisms, from tokens to biometrics. For biometrics, it permits biometric gestures on the device to be bound to cryptographic keys that, with a single implementation, can provide a “what you have and who you are”-type of assurance.
These capabilities can provide strong authentication, without privacy complications, at low costs on consumer-grade smartphones and PCs. These implementations can effectively prevent or defeat attacks in conjunction with digital identity assessment. Beyond point-in-time identity assessment, digital identity also plays a critical role in helping companies progressively eliminate fraud from the business. Here’s how.
In practice, we know from global digital identity implementations that, on average, about 92 percent of online transactions are made by legitimate users. Digital identity makes it possible for these individuals to proceed smoothly through their transactions, servicing their needs securely and efficiently.
By the same measure, we know that roughly 2 percent of transactions are from confirmed fraudsters. There’s no business benefit in servicing these users, who represent an overall drag on the business—so they are blocked accordingly.
It’s the remaining 6 percent of transactions, on average, that are questionable, and soak up a disproportionate amount of resources and overhead in manual reviews. It’s relatively easy to block these users with basic rules. But this can and often does provide an alienating experience for legitimate users caught up in review simply because, for example, they are in an unfamiliar location or using a new handset.
A digital identity-based approach gives organizations a dynamic way to improve their fraud management over time, while gaining a better understanding of these questionable transactions.
Using machine learning, for instance, unverified transactions can be isolated at scale. Rule variations can be tested and run side-by-side with rule sets that are in production. This challenger-champion model progressively refines identity assessment and authentication over time.
As a result, a larger number of legitimate users flow straight through their processes with little to no interruptions, while fraudsters get stopped—and ultimately turn their focus to other, more vulnerable targets.
As it stands, biometric authentication offers convenience that some people prefer over passwords. But the technology is still evolving and is by no means a silver bullet against fraud. However, when used in conjunction with digital identity in a layered approach, it can be an effective part of a cognitive, always-on method of authentication that organizations can use to drive profitable growth and deliver an elegant digital experience to users.
Next up: Synthetic ID