Multi-factor authentication (MFA) is a method of securing access to your accounts by requiring users to verify their identity in two or more ways in order to successfully sign in. These multiple layers of authentication mean that a hacker or imposter couldn’t access a user’s account, even if they managed to get hold of that user’s credentials.
Users can verify their identity in three ways with MFA: they can use something they know, like the answer to a security question; something they have, like an authenticator app; or something they are, which involves their biometric information, such as a fingerprint. Biometrics are often considered the most secure authentication method because of the level of effort a bad actor would have to go to in order to hack into someone’s account. It only takes a quick Facebook search to find out the name of their target’s pet (which 15% of Americans use as their password!); scanning someone’s retina without them noticing is much harder.
To find out more about how organizations can use biometric authentication to ensure that only verified clients can access their data and that employees can access their corporate network securely, we spoke to Joe Palmer, President of iProov Inc. Joe entered the industry developing web-based applications for a range of market sectors, including healthcare, where the security of each application created was fundamental to its success and the safety of its users. When Joe met Andrew Bud, CEO at iProov, the two developed a shared vision of making the internet a safer place by verifying that an online user is the right person, a real person, and authenticating right now when they access digital services such as their bank account.
Founded in 2012, iProov is an innovative face verification solution that enables organizations around the world to securely and effortlessly authenticate the identities of their customers and employees. iProov is today used by governments and financial services providers, who need the utmost confidence in the fact that the people accessing their systems are who they say they are.
OTPs Are Better Than Nothing…
Despite the sophisticated levels of security that biometric authentication provides, a lot of organizations are still using more traditional methods of authentication, such as SMS- or email-based one-time passcodes (OTPs). This, according to Joe, comes down to familiarity.
“People have gotten used to being sent a one-time passcode via text message,” he explains. And the way in which they interact with those messages has become more sophisticated. When a user receives their code in a message on my phone, the system is often able to suggest it automatically in the two-factor field of the web page or app they’re trying to access, without them having to switch apps or type the code in manually.
“The user experience isn’t great, but it’s not terrible, so people are willing to put up with it because they understand that it’s increasing security.” However, despite being more sophisticated that it was a few years ago, OTP technology is still not particularly secure.
“Text messages don’t always arrive, especially if you’re working across different countries, and the mobile phone networks themselves don’t have very good authentication at all,” Joe says. “It’s not hard to gain access to a network and, once you’re in the network, you can start sending commands to reroute communications, including text messages, to another device.” This means that hackers can redirect a user’s OTPs to themselves.
This method of attack requires relatively little effort and only a small amount of money and expertise. Because of this, OTPs are not secure enough to protect high value targets, like businesses.
“If the reward is worth the effort, attackers will spend enough time, effort and money to subvert the authentication,” Joe says.
…But Biometric Authentication Is More Secure Still
The security architecture of biometric authentication is very different to that of the other two methods of authentication (something the user knows or has), because it involves a certain level of risk and ambiguity. “Risk” and “ambiguity” may seem like red flags when it comes to securing your corporate assets, but it’s actually these very characteristics that make biometric authentication, when used properly, so secure.
To illustrate this, let’s look at traditional passwords.
“Passwords are either 100% right or 100% wrong,” explains Joe. “You let the user in or you don’t; there’s no ambiguity. The vulnerability here comes from how easy the information is to share.” For example, if User A told User B their password, User B would easily be able to log in to User A’s account. On top of that, Joe says, is the fact that a user-friendly password isn’t very secure, and a secure password isn’t very user-friendly, because it’s difficult to remember. It’s for this reason that so many people reuse passwords, or create weak ones that are easier to recall – and also easier for a hacker to crack.
Biometrics, on the other hand, are a probabilistic system. “They provide a level of confidence, so are often used with risk engines which take into account lots of data and produce an output that decides what level of authentication is needed,” Joe says. “This creates some anxiety, because not being 100% certain that it’s the same person seems less secure.”
However, the probabilistic system makes it incredibly difficult for bad actors to crack or bypass authentication.
“You can buy passwords on the dark web to use in credential stuffing attacks, and you can steal someone’s credentials directly with a little effort and a spear phishing attack,” Joe says. “Using biometrics means having the ability to improve continuously and create a moving target for attackers.
“We’re constantly re-training our machine learning and AI tests to improve their performance, which is something you can’t do with password- or device-based factors.”
This continued evolution has two impacts. Firstly, it requires far more effort for a hacker to actually attempt to gain access to the system. We all know that cybercriminals justify the cost of the effort with the potential reward, so making it more difficult for them to access that system means they’re generally less likely to try. Secondly, if a hacker were to successfully infiltrate the system, they’d only be able to do it once – greatly reducing the amount of damage they would be able to inflict, compared to if they were able to log in multiple times using a stolen password.
“Fundamentally, it comes down to how much effort is required to launch a successful attack,” Joe says. “And we believe that’s much lower with the system we built than with passwords, and potentially devices as well.”
Three Steps To Avoiding Deepfakes
Deepfakes are fraudulent media that look or sound like the real deal. Named after a branch of machine learning called “deep learning”, they use artificial intelligence to learn what the source material looks or sounds like, and transpose that learning onto another image or sound bite so that it seems to be an original. Deepfakes are used for a whole range of situations today, from film studios controversially bringing actors back to life for certain roles, to enabling us to virtually try out new hairstyles without committing to a new ‘do. But deepfakes are being increasingly used in social engineering attacks and attempts to trick biometric authenticators.
So how can you be sure that the user trying to access your system is who they say they are, and not a hacker using deepfake technology?
The answer lies in sophisticated biometric technology. According to Joe, when using face verification as a form of biometric authentication, there are three questions that you need to ask in order to determine if your user is genuine:
- Are they the right person?
- Are they a real person?
- Are they there right now?
In order to determine if the user is the right person, Joe says, you need to match the scan of their face that they’re providing to a baseline image, or “source of truth”, of the user that you have stored away. “The user asserts that they are who they claim to be, and then they allow a picture of their face to be used to verify that they are that person.”
However, just matching the two images isn’t enough to stop someone accessing an account that isn’t theirs. “You can go to Facebook or LinkedIn and get a picture of almost anyone, and it’s very easy to hold up a picture in front of the camera,” Joe says, “so you have to ensure that the biometric that’s being presented to the sensor is indeed a real person. This is known as ‘liveness.’”
Finally, you need to be confident that the user is presenting that image in real time. “This is the question that many local solutions don’t answer,” Joe says. “If a hacker were able to steal a video of you authenticating and inject it directly into the application or network, bypassing the camera altogether, the system might let them in because it’s recognised the right person, and a real person – but that person isn’t there right now. They were there yesterday, or last week.”
iProov’s unique Genuine Presence Assurance gives organizations the ability to confidently answer “yes” to all three of these questions.
The Present Is Digital; The Future Is Biometric
Earlier this year, iProov expanded into the US authentication market – just as the global Coronavirus pandemic hit. During this time, Joe noticed two big shifts in the way that organizations were using authentication.
“Our two key customer areas are government and financial services,” he says. “As a US citizen with a bank account, it’s very common to go down to your local branch. The pandemic has changed that – people can’t go and stand in line, or stand with other people inside buildings. So US banks have suddenly become digital first! This means providing secure remote authentication for their customers.”
But the finance sector wasn’t the only one suddenly realising its need for remote authentication.
“We also saw a flurry of interest for employee authentication,” Joe says. One of the biggest challenges in implementing remote authentication for employees is being able to provide a source of truth for each employee. Usually, this is the photograph taken when an employee joins the company. Most organizations have these images, but they need to be made accessible to the authentication system, so that each image can be used to enrol the employees when they first try to authenticate.
“Another challenge comes from digital transformation, and moving from physical servers into the cloud,” Joe adds. “A lot of companies are going through digital transformation programmes, and it might take years to move everything across, having single sign-on across all of those applications, and so on, so my personal expectation is that 2022 is when we’ll see it exploding.
“We’ve seen the shift from onboarding end users’ customers, to authenticating those customers, and that’s very similar to authenticating employees.
“Biometric authentication for employees is coming.”
The Easiest Way To Raise Your Security Bar
The best way for organizations struggling with remote access security to protect their assets is by implementing an MFA or 2FA solution.
“Adding a second authentication factor is a simple but very effective way of raising the bar of the level of effort needed and money required from attackers,” Joe explains. “It makes many scenarios just not worth it.”
Organizations should avoid using traditional passwords, which are so easily compromised, and be sure to implement device or biometric factors of authentication.
Of all the types of biometric authentication available, face scanning is the most accessible, Joe says. This is because the world we currently live in is built to accommodate it: almost every device that we use, including laptops, tablets and smartphones, is built with a front-facing camera.
The best approach to authentication, Joe says, is to implement flexible authentication. Genuine Presence Assurance on its own can be used to authenticate remote users for a variety of secure uses, from onboarding to ongoing log-in. When MFA is needed, liveness or Genuine Presence Assurance can be used as the additional factor. “Face biometrics offers versatility. It provides both the highest security to work as a standalone authentication method, or it can be combined with other authentication for MFA.”
Thank you to Joe Palmer for taking part in this interview. You can find out more about iProov Inc. and their biometric authentication and access management solution at their website, LinkedIn and Twitter profiles, and via their demo apps in the Android and iOS app stores.