When was the last time you typed in your mother’s maiden name, or perhaps the name of your first pet, to prove your identity to access an online account? Probably not that long ago. This type of online identity verification, known as knowledge-based authentication, poses little more than a speed bump to the modern fraudster. More modern methods, such as SMS-based two-factor authentication, also have their own set of vulnerabilities that today's cybercriminals can exploit.
Simple social media searches can reveal the answers to supposed secret questions used by KBA solutions and the 4 and 6-digit codes from SMS-based 2FA can be intercepted. Because cybercrime and the dark web have evolved and become far more sophisticated, traditional forms of authentication that were once effective can no longer reliably ensure that the person logging into their online account is the actual account owner.
Hitting the headlines
In many cases fraudsters don’t even need to comb your Facebook account or intercept your text verification code for your personal information — they often already have it. This is because of the massive data breaches you have seen hitting headlines, that have sent millions of sets of personal data spilling into the ether. Names, usernames, passwords, telephone numbers, dates of birth and security answers — cyberspace is awash with it.
Data breaches happen on a near-daily basis and include global names like Yahoo!, Facebook, Quora, and Marriott/Starwood. One recent example is the breach that hit Fortnite, a popular online game. While it’s unclear how many users were impacted, the game has 200 million users worldwide with 80 million active on a monthly basis. These user figures alone shine a light on how severe the damage may have been, and could be in future.
Even in the GDPR era, these breaches are coming thick and fast, with 25 having already been registered in 2019 — and these are just the ones that have grabbed the headlines. It’s therefore vital that we move away traditional identity verification methods. This is where facial biometrics need to be considered as a safe and secure alternative for accessing accounts and verifying certain transactions or activities online.
Out with the old
None of the traditional methods of identity verification come without weakness and the risks are far more widespread than you think — including methods you might have considered sophisticated not so long ago. This is indicative of the speed of tech innovation and the evolving nature of online fraud, which underlines the current lack of innovative security methods.
Password-based logins are problematic because passwords are easily forgotten and inherently insecure. Out-of-Band or SMS-based 2FA also continues to be a common form of authentication, but hackers are able to easily intercept the 4- and 6-digit SMS codes via the SS7 telecommunication protocol network, or through phishing attacks.
Token-based authentication is also failing to meet the mark as a modern form of verification. An obvious drawback is that tokens must be carried at all times and are non-transferable — a characteristic that’s outdated in today’s user experience-focused world. There is also the simple weak point that tokens or fobs can be lost or stolen, presenting a further argument for more secure methods, such as biometric authentication.
Despite this, biometrics are not necessarily a silver bullet solution. Innovative fraudsters are now capable of deploying spoofing techniques, sophisticated enough to beat many kinds of biometric security once deemed robust. However, liveness detection in tandem with facial biometrics is presenting a very real solution to the problem, and with the help of Apple’s Face ID, millions of people are more familiar and comfortable with the process of using your face as a security measure.
The new dawn
The sun may be going down on the wide range of traditional verification methods that no longer cut it, but this doesn’t leave us alone in the dark. Providers of innovative identity proofing and authentication are bringing about a step change for businesses across the industrial spectrum. Using cutting-edge AI and video selfie technology, the identity of the user accessing the associated account can be linked — this is a glimpse into the future of online identity verification.
This powerful technology is available today, and it’s reliable and fast enough to eliminate variables that would once have skewed results and enabled hackers to gain access. For example, weight loss and weight gain, wearing glasses or the loss or growth of facial hair have previously been changing factors that have disrupted less sophisticated tools.
The technology’s power to restore confidence, safety and successfully analyse variables are not the only trailblazing characteristics. It will also clear a path for innovation across a range of industries. To bring this to life, it could allow you to confirm your identity in a range of situations where necessary, from checking into a hotel room you’d booked, or unlocking the keys to a car you had rented using just your selfie. It even unlocks the possibility of doing away with passwords all together. In terms of evolution, the process will take a few mere seconds to complete and will require nothing more than a smartphone, relegating the need to remember tens or hundreds of passwords to a thing of the past.
The vital need for this security enhancement is being realised by leading companies, from industries like financial services, healthcare, travel, entertainment and gaming. Modern businesses are understanding that in in light of cybercrime, the dark web and the global nature of online fraud, they need to dispense with traditional, insecure and unreliable methods of authentication, and adopt modern biometric-based methods.
Philipp Pointner, Chief Product Officer, Jumio
Image Credit: Dom J / Pexels