Authentication strategies and the use of biometrics
Rick Swenson, Managing Director Fraud Strategy and Governance, TIAA
Below is an insight on authentication and biometrics provided by Rick ahead of his session last year at Fraud and Financial Crime USA 2023.
The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
What techniques can banks use to enhance authentication?
The industry has matured dramatically over the past decade in relationship to authentication, which arguably is the most important segment of every customer interaction. Technology advances have increased our ability to better trust and have confidence in knowing the person we are interacting with, is our customer.
The standard factors for authentication are to provide verifiers that are associated with What You Know, What You Have and What you Are. What you Know can be Known, What You Have can be Lost and What You Are is something you are born with. Before mass digitalization and the ability to share everything with literally billions of people, what you knew was a fairly effective verifiers. Today that is no longer true as billions of people are sharing so much of who they are and what they do with others. That coupled with thousands of data breaches that have compromised hundreds of millions of personal records, make the ability to use “What You Know” close to an obsolescent verification factor.
What You Have provides a requirement of trust and identifiability of the device. The most effective of these is the use of physical security Fobs, that generate random security keys. These are difficult and expensive to manage. Technology advances have occurred that enable this technology to be transferred to your mobile smart phones.
Key technologies capabilities that are available are:
- Biometrics – Voice, Facial, Touch and Behavioral
- Out-of-Band Verification – Push Notifications to Mobile App, One-Time Passcodes and Shared Secret Questions
- Dynamic Q/R Codes
- Cross-Channel Verification
The use of biometrics is becoming more commonly adopted by consumers as it offers the best blend of security and convenience to the consumer. You simply need to hold your mobile device and it’s built-in camera will instantly verify you without any interruptions to your service request. This is not a ubiquitous solution but it is gaining support by hardware manufacturers.
Many financial services organizations are also incorporating voice biometrics into their call-centers enabling them to provide a higher level of security to their customers and a much more seamless customer experience when fulfilling service requests. The use of voice is also available in a passive format that does not require the customer to overtly enroll or opt-in. Voiceprint technologies can capture and interpret acoustical elements of a call to help verify and determine if the caller is their customer or potentially fraud.
In a post covid world we have seen an enormous increase in the use of both video and audio interactions online. Institutions have an excellent opportunity to leverage the use of these two mediums to authenticate their customers. The next migration of biometrics will be the use of both voice and face to support web based authentication needs.
Institutions should also consider the incorporation of cross-channel verification opportunities. Allowing the authentication confirmation from one channel to pass through into another seamlessly to authenticate without requiring additional verification. Examples of this are to enable a customer in a verified chat session to connect from that session to a service representative and complete a call or similarly if they have authenticated on the mobile app, so enable them to call into their servicing center by initializing the call from within the application.
For institutions with a mobile application, the use of Push Notifications to that application are another means of allowing the customer to verify using a device that is very familiar to them. Simply send a push notification that launches their mobile app and have them use the biometric features of the phone to authenticate. Customer calls into your call center and once they are identified a push notification is sent to their mobile device allowing them to authenticate. The duplicative value of this approach is they are able to both authenticate but are also able to interact with their accounts via the Mobile App, which is, in most organizations, the channel of choice.
How can the use of biometrics and authentication be used to identify and manage deep fakes?
Technologies continue to advance the ability to create digital representations of people both audibly and visually. These technologies are conducive for filmography, but can also be used to misrepresent reality for the purposes of defrauding individuals and companies.
As investments are made to leverage biometric verification, additional investments need to be made to ensure these technologies are not being used to fraudulently represent another person. Those investments come in the form of gathering qualifying or disqualifying data sets that provide confidence the media form you are receiving is real, live and can be cross verified using additional factors such as geo, device, channel and biometric characteristic comparisons to determine if the interactions is real or contrived.
How have deep fakes become increasingly sophisticated over the years?
Deepfake technologies are progressing rapidly and are being driven largely by the entertainment industry and the opportunity to provide more realism and dramatic impact at lower long term costs. The ability to create a digital stunt double or a younger or older version of a character in a movie digitally is far less costly than traditional efforts to use make-up and/or stunt doubles along with hours in the editing room. The gaming industry is also playing a large role as is works to create a close as possible replication of the human form giving their user audience the feeling they are completely immersed in an alter reality.
We should expect the ability to discern real from digital to become more difficult as the introduction of AI is also progressing. The combination of being able to create deep fakes with a strong interactive AI dialogue capability is certainly something we can expect to see into the future.
At present, these methods are still relatively primitive and we see use of them targeted at companies that are less able to use cross correlative data to validate the media communication used. Organizations cannot completely remove tried and true concepts such as “dual control” and “out of band” verification when they receive any type of digital communication outside of physical face-to-face requests.
Why is tracking mobile device activity used to help authentication?
There is a parallel value stream in mobile device monitoring that benefits the consumer. A plethora of new technologies incorporated in our devices can provide us with a wealth of health information. This data can monitor your cadence, your heart rhythm, your breathing and numerous other characteristics.
These same technologies can be used to map and create a behavioural use profile for the owner of these devices. Is the person left hand or right hand dominant, how does the person hold the device, how often, what is the swiping motion, are they traveling with the device, how fast are they moving, where are they moving. The mobile device affords a wealth of use based characteristics that can be used independently or in combination to create a Mobile DevicePrint (MDP) that can be used to identify or assist in the verification of an individual.
In addition to tracking the device activity the use of geo tracking is also beneficial for both the customer and for providing advanced security. A few organizations have implemented the ability to geo locate the user of the device to assist with ensuring that transactions they may be performing are not declined. Geo tracking can also be used to help reduce fraudulent transactions associated with both 1st and 3rd person fraud. Being able to identify where out-of-band mobile responses are coming from relative to where your customer is believed to be, is very useful in preventing scams and or collusive fraudulent activities between your customer and other 3rd parties.
Tying back this tracking information to other channels within your organization is also useful when trying to authenticate your customer or providing your customer with the ability to track their own interactions with the institution and potentially identify potential fraudulent interactions.
Why is it important to find a balance between customer experience and biometrics?
Experience is arguably the number one determining factor for consumer product choice. The more difficult and burdensome the effort required by the consumer, the less likely they are to use your product. How many televisions for example are still sold with a channel selector and volume button requiring you to walk across the room to change the channel or volume? Not only are they not providing those legacy features, they are moving more and more towards voice and sediment to help you determine what to watch. The same is true for financial products. If you can reduce the effort required to fulfil a need to close to zero, you will attract and retain far more customers then you may loose to those that may prefer to have to do more to get more.
Saying your product is only a smile away is far more palatable then saying you only need to enter a username, password and a 10 digit code to access your account.
Convenience is a primary part of the customer experience. Institutions that enable convenient almost entirely natural means to interact with their accounts will win and retain their customers, all other factors of value being equal.
To make this a reality, institutions must ensure they are providing for the capture and use of biometric data without actually storing the raw data itself. A conversion of that data needs to be done that create an encrypted token value that represents your customer and is only useable by your institution. There should be no means by which biometric use by your institution could ever be used to access or open any other digital door but your own.
The alternative to biometrics is requiring the customer to provide more and more static information coupled with additional verification steps which often times lead to frustration and brand damage. Making the interaction between you and your customer as seamless as possible with the highest degree of security is the ultimate win/win proposition.