This post first appeared on the recently acquired Fortress Identity blog:
Many financial services firms stopped kidding themselves about passwords a long time ago. Even so, the march toward really effective user authentication has taken much longer than it should have. And that is true for all industries. Just last year about 85% of data breaches were enabled by compromised passwords. Most attacks were external, but nearly 25% of them came from inside the organization.
Early replacements for passwords or methods of fortifying passwords helped for a while, but fraudsters quickly found ways of getting around them. In fact, the relentless ingenuity of cybercriminals in spoofing new security measures continues to frustrate firms that are still attempting to cope with what I would call half-measures.
That is, anything less than full compound biometrics.
As someone who consults frequently with banks, I know that one of the main factors in the relatively slow adoption of compound biometrics is that banks that have suffered attacks often keep the news to themselves. Therefore, the actual threat level is still insufficiently understood by banking management.
Recently, I asked a senior banker what it would take to sell his colleagues on compound biometrics. He replied: “a successful data breach right here. Nothing less will do it.”
Single biometric factors were oversold.
Individual biometric factors are infinitely better than passwords & pins. No wonder everyone thought that fingerprint readers were a magic bullet. A foolproof, spoof-proof way to safeguard accounts, transactions, networks, secure locations, etc. Well, they are not. Even facial and voice recognition – implemented singly – are not secure enough to trust. Not if you hold sensitive data of any kind.
You have seen stories about criminals who devised ways to emulate a biometric factor. Some are surprisingly clever. For example, registering one triplet with Apple enabled his brothers to log on too. However, where one biometric factor can be spoofed, multiple biometric factors are orders of magnitude harder to penetrate.
The improvement is not incremental. It is exponential. And bad guys loathe it.
The arrival of Compound Biometrics
Castle-builders, car-makers, anyone who really wants to secure something surrounds it with multiple forms of protection. Protection-in-depth.
Let me use a security solution that my company, Fortress Identity, has developed to explain what I mean. This solution combines facial recognition and voice recognition technologies. When an individual seeks entry, the system first recognizes his face—it identifies him. Next, this same individual is asked to say something, if his voice matches the voiceprint on file, his identity is confirmed. But that is not all. The system goes deeper. It takes an artificial intelligence approach to both the facial and voice recognition phases of authenticating his identity.
The facial phase does more than just match a video image to a file image in a database. To stymie anyone trying to spoof the system, it first determines if the face showing up on video is actually that of a living person. It is not fooled by hats or glasses or poor lighting. It looks deeply, comparing hundreds of data points and facial landmarks to arrive at its conclusion. The voice recognition aspect of the solution is equally comprehensive. More than 400 factors are analyzed, comparing the smallest vocal characteristics. And, naturally, ensuring that the voice presented is not a reconstruction but the real thing. Finally, we do not serve up the same authentication process every time. We vary it to further deter anyone who might be trying to develop an impersonation strategy.
In short, we take an in-depth approach to the entire process and every single aspect of the process. And I have not even mentioned the passive biometrics going on in the background.
Major objections to compound biometrics
Objection: Navigating compound biometrics will be too difficult for our users. Some of them are elderly!
Reality: What could be more natural than speaking? What is easier than looking at your phone or a monitor? If you are still dubious, run your own tests. You can download a light version of our product, the Biometric Authenticator, here.
Objection: Compound biometrics would require too much effort to implement.
Reality: I have literally stunned IT guys with the news that our voice solution requires adding just ten lines of code to your new or existing system. Ten lines of code. Easy!
Objection: Compound biometrics would be too expensive.
Reality: The cost of compound biometrics is nominal. Priceless really. Especially compared to the cost of a data breach in which you could lose customer data, public trust, proprietary information, recovery costs, reputation, etc. Never mind the penalties that GDPR and other regulations mandate for data breaches.
A last note.
Unless you believe that fraudsters, cybercriminals, and identity thieves are becoming less capable, why not look into compound biometrics today? Treat your customers to password-free access to their ecommerce accounts, transactions, and secure locations.
If you are a financial institution interested in compound biometrics and our eKYC offerings, contact us below.