The importance of authenticating the human behind the device
Most organizations are using authentication solutions that verify the presence of a device, and they assume the user behind the device is the registered owner of that device. There are a wide range on online use cases where that is a very risky assumption. As online fraud continues to grow in volume and impact, it’s becoming increasingly critical to verify the identity of the human behind the device.
Most of us are familiar with 2nd factor authentication solutions. On a daily basis we’re asked to enter a “One Time PIN”, or prove that we’re not robots by choosing which images include stop signs. While at times this can be frustrating, applying these 2nd factors for authentication has mitigated some of the security challenges associated with password-based authentication solutions.
However, these 2nd factor solutions are not without security concerns. Verification codes are usually read by the user from a physical authenticating device. Many high-security websites provide users with a dedicated device for this purpose, such as the RSA token. In addition to being purpose-built for security, these dedicated devices also have the advantage of generating the verification code directly. It is also common for websites to use a dedicated mobile app, such as Google Authenticator, for the same reason.
Some websites send verification codes to a user’s mobile phone as a text message. While this is technically still verifying the factor of “something you have”, it is open to abuse. Firstly, the code is being transmitted via SMS rather than being generated by the device itself. This creates the potential for the code to be intercepted. There is also a risk of SIM swapping, whereby an attacker fraudulently obtains a SIM card with the victim’s phone number. The attacker would then receive all SMS messages sent to the victim, including the one containing their verification code. An authenticator app is one of the best 2FA options, as there’s no way for fraudsters to intercept the codes without physical access to your phone.
But if you want the highest level of assurance that you won’t be hacked, then you should use biometric information as part of a Multi-factor Authentication (MFA) solution. Not only is biometric-based MFA a more secure authentication method, it’s also way more user-friendly. You can register multiple authenticating devices (eg. mobile phone, tablet, laptop) and then use your biometrics (eg. face, voice, fingerprint, iris) to authenticate for high risk use cases. The elegance of this solution is that the user can choose which biometric they’re most comfortable using, it takes less than 5 seconds to complete the authentication, and if you lose one authenticating device, you’re not stranded.
The key to the higher assurance is that the biometric service is verifying the human behind the device. For most services and accounts, this won’t be required every single time you open the app or site—that would get tedious very quickly. Instead, MFA is requested when you try to log in on a new device that you haven’t used before or haven’t accessed in a long time, like a new phone or a laptop that hasn’t been associated with your account in the past.
However, there are a wide range of high risk use cases where higher assurance is warranted. Think about accessing your medical history, accessing your bank account or crypto account, or gaining access to the enterprise data center. These are all scenarios where authorizing access to the wrong person can have catastrophic consequences.
Truuth has just launched a beta version of Biopass, our multi-biometric passwordless authentication service. The risk-based engine determines when the user should be asked to ‘step up’ with one or more biometrics to verify their identity. Users can register a range of authenticating devices and decide which biometric they prefer (currently face, voice, fingerprint). And enterprises can manage authentication use cases in an intuitive portal where they can set up applications, user groups, and policies that define treatments based on a wide range of risk factors. This enables the enterprise to deliver a unified MFA experience for users across all their use cases, rather than the current jumble of authentication experiences which characterize most organizations.
If you’re looking for a brilliant user experience and the highest possible level of assurance against identity fraud, ask us for a demonstration of Biopass. You can check out the features of Biopass here.