printer friendly version

Secure identification and authentication

While a brief review of the round table is printed before this article, Nicolas Garcia from IDEMIA was unable to attend in person. Instead, Hi-Tech Security Solutions sent him some of the questions we asked the attendees and he submitted his answers in writing.

Hi-Tech Security Solutions: What is identity and what does it mean to verify someone’s identity? What does it mean to authenticate someone? Where are the two(verification and authentication) used and for what purpose?

Garcia: According to Forbes: Identity is generally accepted as an amalgamation of any or all attributes and information available that binds a persona to a physical person.

Verification is proofing, typically done during onboarding. Authentication is done afterwards, when we validate against the identity captured during onboarding.

Authentication is the process through which we prove who we claim to be. It determines if one or several of the following elements or authenticators used to claim an identity are valid and belong to the same individual previously identified.

• What I have: mobile phone, smartcard, security token…

• What I am: fingerprints, face, iris…

• What I know: password, PIN code….

Authentication occurs each time a user wants to access a service or perform transactions, such as payments, wire transfers or a contract signature. It is also used in the physical world, such as when you want to access a building.

Biometric systems offer a secure and easy-to-use solution to build the bridge between physical and digital identities. It enables enterprises to mitigate the risk of identity theft or impersonation, by ensuring the person is really who he/she claims to be and is present at the time of transaction.

Hi-Tech Security Solutions:Currently, what is the norm in commercial environments to verify and authenticate an individual’s identity when it comes to physical and digital identities?

Garcia: Today’s customers expect total convenience without sacrificing security. Because of this, we are seeing an increase in the uptake of digital authentication of an identity (physical/digital) using biometrics in both physical and digital environments.

PINs, passwords and 2-factor authentication are the more common ways that commercial organisations authenticate a person. Leveraging the power of mobile phones and their biometric capabilities (such as camera and fingerprint technology), enterprises can remotely verify their customers’ identities. IDEMIA’s MorphoWave Compact is an alternative portable biometric reader.

Hi-Tech Security Solutions: Facial recognition/verification is getting all the attention these days, but is this a reasonably secure and reliable identity verification/authentication mechanism for physical and digital security?

Garcia: Today, state-of-the-art biometrics algorithms, certified, by independent agencies such as the National Institute of Standards and Technology (NIST) and leveraging machine learning capabilities, outperformed average human capabilities when it comes to recognising unfamiliar faces.

Nicolas Garcia.

The ideal solution is to combine man and machine to achieve the best results. Also, 3D facial recognition technology is one of the best ways to neutralise environmental conditions and reach better results than 2D information.

For a financial services provider, it may not be reliable enough to solely rely on one type of information to verify the legitimacy of an individual identity claim. Indeed, they may lack some type of information, for instance their credit history may be limited, they may lack some ID documents or, in some cases, they may not wish to share their biometrics. Besides, static Personally Identifiable Information (PII) may have been compromised. Furthermore, data available and validation requirements depend on the geography and regulations. That’s why a reliable digital identity requires a layered identity-proofing approach.

Organisations can pick and choose which of the layered measures to take based on their customers’ profiles, their risk policy and identity assurance requirements. Such a multi-layered onboarding approach uses a combination of identity document authentication and biometric verification and other background checks.

Hi-Tech Security Solutions: When it comes to financial institutions, what are organisations these days doing to more accurately verify/authenticate customers’ identities to avoid issues like people opening bank accounts under false names etc.?

Garcia: With fake accounts being a major concern for financial institutions, biometrics deduplication is crucial for fighting against fraud. It enables service providers to check whether a unique individual has opened multiple bank accounts under different, false names.

Financial institutions could also rely on mobile operators for risk scoring, to help their fight against identity theft and account takeover. In fact, many banks rely on a customer’s mobile phone as a method of verification. When logging into an account, customers are often asked to verify their identity through an SMS OTP (one-time password).

Leveraging in-branch biometric devices or readers, a bank can match a customer’s biometrics against their ID to verify a customer (or potential customer) that they are who they claim to be.

Hi-Tech Security Solutions: What is happening in terms of remote and mobile identity verification/authentication? As companies try to reduce ‘in-person’ visits and encourage people to transact via the Internet or their mobile devices, how are they trying to ensure the person is who they claim?

Garcia: Adopting a multi-layered approach, combining ID document authentication, biometrics and liveness detection and more, enables banks to reconcile security, compliance and user experience.

For example, a bank would typically mix different technologies and methods in their processes, depending on the level of security required for respective applications/requests. Some banks might agree that a PIN code might be secure enough to give access to an account balance, but a combination of face and code might be preferred for transfer of a large amount of money. In addition to that, banks might limit sensitive transactions to pre-approved devices only.

Hi-Tech Security Solutions: What about privacy? Should we give up the idea that we have any? If not, how can we retain some privacy without negatively impacting security? How does the industry support privacy while still producing identity technologies?

Garcia: People have a right to their own privacy and when it comes to facial recognition and biometrics, they need to be assured that a proper policy framework is in place to safeguard their data and restrict who has access to it and how it can be used. Public and private entities have to collaborate to define this regulatory framework.

The solutions developed by IDEMIA incorporate privacy by design principles. This protects consumers and guarantees the highest possible level of data protection that can be used for identity verification and authentication technologies.

Security and respect of data privacy are in the DNA of IDEMIA. As such, our biometric access control products comply with a wide range of industry and privacy regulation, including the recently adopted GDPR, the European data regulatory framework. This places the end-user at the centre of all consideration. Our systems only keep absolutely necessary information required in an encrypted form, called a template, which cannot be reverse engineered to recreate a face or a fingerprint and can be deleted on demand. To add to that, it is important to offer an end-to-end encryption solution to ensure that data remains safe.

Nicolas is the sales director for biometrics terminals at IDEMIA, leading the business in the Middle East and Africa region. An expert in the topic of biometric access technology, Nicolas also penned a book explaining the technology terms to the man on the street.

Share this article:

Further reading: