Losing face

Access & Identity Management Handbook 2021 Cyber Security

The risk of identity theft and related fraud is a significant concern for consumers who have been embracing online services to overcome lockdown restrictions during 2020. Even prior to this, there has been a reported 33% increase in identity fraud last year from 2018 figures.

While the pandemic has been a boon to adoption of biometrics – particularly face biometrics in this contactless era – for digital identification, authentication, and authorisation services, this has also amplified the necessity of two-factor authentication (2FA) for users to better protect themselves.

Biometrics can either be biological measurements or physical characteristics that can be used to identify an individual. Some of the more popular modalities that are becoming mainstream today include fingerprint scans and facial recognition. The use cases for such solutions are vast, from identification and verification services to security and restricted access control – including at airports, stadiums, businesses, and various other settings. Additionally, many of the latest smartphones even feature biometrics as security options, used to unlock the device, sign into mobile apps and in payment verification.

According to Vic Esterhuizen, executive: Biometrics at Xpert Decision Systems (XDS), the largest locally owned credit information bureau in South Africa, biometrics can fulfil a critical fraud prevention function in the identification, authentication and authorisation sequence of events, including digital on-boarding services, and identification/account verification at the point of sale.

The value of biometrics

“Much about how we live, work and play changed due to the impacts of the COVID-19 pandemic, where lockdown restrictions coupled with social distancing protocols have pressed upon people to avoid use of shared surfaces and close, in-person interactions as much as possible. This is accelerating adoption trends in contactless identification including face biometrics systems – particularly as a complement to, and in support of, digital transactions,” says Esterhuizen.

Market research indicates that the global face biometrics market size was valued at $3,4 billion in 2019 and is projected to grow at a CAGR of 14,5% from 2020 to 2027.

Esterhuizen suggests that in a digitally driven world, the traditional username and password method can be enhanced with additional security factors. “Biometrics presents a massive opportunity to promote market inclusion through digital and remote access to products and services. And, by using something unique to an individual to confirm the person’s identity before any financial and other transactions can be done, this can support in significantly reducing the potential for identity theft and associated risks of third-party fraud.

“It should be noted, however, that not all technology is the same and products and service providers who are looking to capitalise on the digital and remote opportunities must undertake market research and consult with experts on solutions that offer built-in risk mitigation and high anti-spoof rates in identity verification,” says Esterhuizen.

Identification, authentication and authorisation

To realise the effectiveness of biometrics, Kaspersky believes that consumers first need to understand the difference between identification, authentication and authorisation.

“While it might not seem important at first to understand the role biometrics can play in these processes, given how everything from shopping to banking to entertainment and more of our daily activities are increasingly connected to the Internet and performed online, consumers need to better understand that collectively these online accounts form an imprint of their digital lives – and that their biometrics can be used to unlock this imprint if not used appropriately and safely,” says Lehan van den Heever, enterprise cybersecurity advisor for Kaspersky in Africa.

For instance, a banking app will request the user’s login details before the user may perform any transactions. The username will be the identification step, i.e., confirming identity of the user. The password or PIN will then be used to authenticate the login. The final step is that of authorisation. Once the identification and authentication have been done and confirmed, the app will give the user the right, i.e., authorise the user, to view their account balances, pay beneficiaries, etc.

“There are current services and use cases where biometrics have been integrated into these processes, for example a fingerprint or face scan may be used to supplement, or in addition to, any of these three steps. To do this, the provider is taking biometric data and storing it in the cloud, which is correlated with the user’s account and payment data. And while such data may well be encrypted, the potential risk is that should the data ever be stolen – and decrypted – from the cloud, the user’s identity could be spoofed, leading to financial losses and potential third-party fraud,” indicates Van Den Heever.

Two-factor authentication

This stresses the necessity of two-factor authentication. As is the case with the aforementioned example, many local banks continue to use two-factor authentication, which requires entering a password/PIN as well as confirming a one-time password (OTP) at the point of transaction, which is sent to a secondary device, for example.

“With the pandemic expected to be a part of our lives for some time to come, biometrics has an important role to play in the new normal. And the key to integrating biometrics safely, particularly where a user’s financial data is concerned, lies in how the data is being encrypted and stored. For example, where biometrics is used to identify the user and a PIN is used to verify that identity, anyone stealing the biometrics data wouldn’t have a complete set of information or enough to steal people’s money, or spoof their identity. It is much safer to keep the two things separate and integrate 2FA as a critical step to securing accounts and the data they hold,” concludes Van Den Heever.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Securing access to the data centre
Issue 1 2021, Suprema , Cyber Security
When looking for a solution to securing your data centre, FaceStation F2 stands out in terms of its versatility, security and rich feature offering.

Secure alternative to passwords
Issue 1 2021, Suprema , Cyber Security
Fingerprint biometrics offer a secure alternative to regular passwords; they cannot be lost/forgotten and cannot be shared.

Information visibility is key for brand protection
Issue 1 2021 , Cyber Security
High-value employees now give away more information in the social media age than ever before and businesses need a solution that will immediately block, hide or remove racial slurs, sensitive data like credit card numbers, competitor posts, scams, malicious links and more.

‘Broken window, broken business’ and cybersecurity
Issue 1 2021 , Cyber Security
Apply the broken window principle to ensure there are no gaps in your cybersecurity that allow criminals into your network.

Further exit of skills possible
Issue 1 2021, Galix Group , Cyber Security
Lifting international travel restrictions could have a severe impact on South Africa’s already depleted cybersecurity skills pool.

A new security approach for the modern network
Issue 1 2021 , Cyber Security
In a digitally transforming world, the traditional firewall is no longer as effective as it used to be.

Cybersecurity in 2020: lessons for tomorrow
Issue 1 2021 , Cyber Security
There is a visible jump in awareness around online security, precisely because of the remote working trend that became a reality in 2020.

Small business security trends for 2021
Issue 1 2021 , Cyber Security
Recent surveys suggest that many small business owners are still operating under a false sense of cybersecurity.

Jian: The double-edged cyber sword
Issue 1 2021 , Editor's Choice, Cyber Security
A Chinese-affiliated attack group (APT31) cloned and actively used an American-affiliated attack group’s (Equation Group) cyber-offensive tool codenamed EpMe. Both attack tools exploit a then unknown Windows vulnerability for elevating the privileges of the attacker on the infected machine.

Five ransomware predictions for 2021
Issue 9 2020 , Cyber Security
How to stay ahead of cyber criminals and protect your data