If the identity management system is broken, it’s not for lack of vendors offering solutions.
Banks have been on a mission to find the right technology to verify mobile and online customers in a way that is highly secure, yet “frictionless” (quick and painless for the consumer). Many banks have rolled out voice, fingerprint, iris, and facial recognition software during the past year. Time will tell whether any of these prove to be the answer. But solutions are needed more than ever, given the rise of mobile banking and the amount of personally identifiable information that’s been stolen or is openly available on the Internet for fraudsters.
Presentations by authentication software vendors dominated the first day of the Finovate Fall conference in New York on Wednesday. Their different approaches show how unsettled this market still is, and how individual methods of verifying identity have their strengths and weaknesses.
Fingerprints: Many banks, including JPMorgan Chase, USAA and Citizens Bank, have begun letting mobile banking users log in using the fingerprint recognition technology Apple, Samsung and others have built into their smartphones. Deployments keep coming — Bank of America just announced its support for Apple’s TouchID on Tuesday.
But fingerprints have their vulnerabilities – stolen prints can be used with fake fingers.
“The iPhone fingerprint system can be defeated with a Gummy Bear,” said Sunil Madhu, CEO of Socure.
And fraudsters have been able to tie stolen identities to their own biometrics. They steal bank customers’ identity information (data breaches make this data readily available), buy a new iPhone, and call their bank to authorize the loading of the stolen identity onto the new device.
“Now I’ve got your identity in my digital wallet and my iPhone, and I have NFC to walk around town, buying all sorts of stuff on my digital wallet getting charged to your credit card,” Madhu said.” (Socure’s technology uses a combination of facial recognition, device identity, geographic location, and social network data to authenticate users.)
Behavior patterns: BehavioSec showed software that monitors how users type, how long they hold down a key, and how hard they press to create a digital fingerprint.
Behavior pattern software is often greeted with skepticism – if you’re sick, drunk, tired, angry, in a hurry, cold, or on a train, wouldn’t such conditions affect the way you touch your phone?
Olov Renberg, co-founder of BehavioSec, said his company’s software would work in many stressful scenarios.
“If you saw me on stage, you could probably tell that’s not my normal condition, not standing in front of 1,000 people trying to explain a technology,” he said. The software did successfully identify him.
If a user were highly intoxicated, the software might not work. That’s when a bank would need to turn to traditional authentication methods. It also, though, might be a good time to not authorize a large payment or funds transfer.
The benefit of behavior pattern recognition, Renberg said, is that the user doesn’t have to do anything differently than usual. The software works without her input.
Device ID: ID Analytics demonstrated software that requires the customer to type in only her name and the last four digits of her Social Security number and answer knowledge-based authentication questions (e.g. “who was your best friend in elementary school?”) to enroll for a new account. Behind the scenes, the software uses device identity (a number associated with a smartphone) to authenticate the user. It also compares the customer’s data against the contents of the ID Network, the vendor’s repository of real-time consumer information, which it claims has 55 million identity elements coming in each day from organizations across industries, along with details on more than 3.3 million client-reported attempts at identity fraud.
Social network analysis: Socure’s solution also analyzes the user’s social networks. Social proof takes a long time to create and it’s very difficult to reproduce — a fraudster would have to create a whole network of fake friends and business associates.
Database lookups: Trulioo showed software that companies can use to compare customers’ self-provided information against data stored by 140 data partners in 40 countries. The company said it is working to provide access to all seven billion people in the world in 196 countries. It is meant to help international companies deal with anti-money laundering and Know Your Customer rules as well as account opening and risk mitigation.
Push notifications: Authy demonstrated OneTouch, software that authenticates consumers by sending a push notification to their smartphone and letting them tap or swipe “yes.”
The ultimate goal of using any of these technologies is a seamless and secure onboarding or login experience. A few companies demonstrated technology that uses different forms of authentication in the onboarding process. For instance, IDmission combines electronic forms with fingerprint, face, voice, and signature scanning to verify the identity of the person filling in the information. Gro Solutions verifies identity by asking “out of wallet” questions and checking the customer’s information against mobile phone carriers’ databases, as well as imaging government-issued identity documents such as driver’s licenses.