Secure identification and authentication

Issue 3 2020 Financial (Industry)

While a brief review of the round table is printed before this article, Nicolas Garcia from IDEMIA was unable to attend in person. Instead, Hi-Tech Security Solutions sent him some of the questions we asked the attendees and he submitted his answers in writing.

Hi-Tech Security Solutions: What is identity and what does it mean to verify someone’s identity? What does it mean to authenticate someone? Where are the two(verification and authentication) used and for what purpose?

Garcia: According to Forbes: Identity is generally accepted as an amalgamation of any or all attributes and information available that binds a persona to a physical person.

Verification is proofing, typically done during onboarding. Authentication is done afterwards, when we validate against the identity captured during onboarding.

Authentication is the process through which we prove who we claim to be. It determines if one or several of the following elements or authenticators used to claim an identity are valid and belong to the same individual previously identified.

• What I have: mobile phone, smartcard, security token…

• What I am: fingerprints, face, iris…

• What I know: password, PIN code….

Authentication occurs each time a user wants to access a service or perform transactions, such as payments, wire transfers or a contract signature. It is also used in the physical world, such as when you want to access a building.

Biometric systems offer a secure and easy-to-use solution to build the bridge between physical and digital identities. It enables enterprises to mitigate the risk of identity theft or impersonation, by ensuring the person is really who he/she claims to be and is present at the time of transaction.

Hi-Tech Security Solutions:Currently, what is the norm in commercial environments to verify and authenticate an individual’s identity when it comes to physical and digital identities?

Garcia: Today’s customers expect total convenience without sacrificing security. Because of this, we are seeing an increase in the uptake of digital authentication of an identity (physical/digital) using biometrics in both physical and digital environments.

PINs, passwords and 2-factor authentication are the more common ways that commercial organisations authenticate a person. Leveraging the power of mobile phones and their biometric capabilities (such as camera and fingerprint technology), enterprises can remotely verify their customers’ identities. IDEMIA’s MorphoWave Compact is an alternative portable biometric reader.

Hi-Tech Security Solutions: Facial recognition/verification is getting all the attention these days, but is this a reasonably secure and reliable identity verification/authentication mechanism for physical and digital security?

Garcia: Today, state-of-the-art biometrics algorithms, certified, by independent agencies such as the National Institute of Standards and Technology (NIST) and leveraging machine learning capabilities, outperformed average human capabilities when it comes to recognising unfamiliar faces.

Nicolas Garcia.

The ideal solution is to combine man and machine to achieve the best results. Also, 3D facial recognition technology is one of the best ways to neutralise environmental conditions and reach better results than 2D information.

For a financial services provider, it may not be reliable enough to solely rely on one type of information to verify the legitimacy of an individual identity claim. Indeed, they may lack some type of information, for instance their credit history may be limited, they may lack some ID documents or, in some cases, they may not wish to share their biometrics. Besides, static Personally Identifiable Information (PII) may have been compromised. Furthermore, data available and validation requirements depend on the geography and regulations. That’s why a reliable digital identity requires a layered identity-proofing approach.

Organisations can pick and choose which of the layered measures to take based on their customers’ profiles, their risk policy and identity assurance requirements. Such a multi-layered onboarding approach uses a combination of identity document authentication and biometric verification and other background checks.

Hi-Tech Security Solutions: When it comes to financial institutions, what are organisations these days doing to more accurately verify/authenticate customers’ identities to avoid issues like people opening bank accounts under false names etc.?

Garcia: With fake accounts being a major concern for financial institutions, biometrics deduplication is crucial for fighting against fraud. It enables service providers to check whether a unique individual has opened multiple bank accounts under different, false names.

Financial institutions could also rely on mobile operators for risk scoring, to help their fight against identity theft and account takeover. In fact, many banks rely on a customer’s mobile phone as a method of verification. When logging into an account, customers are often asked to verify their identity through an SMS OTP (one-time password).

Leveraging in-branch biometric devices or readers, a bank can match a customer’s biometrics against their ID to verify a customer (or potential customer) that they are who they claim to be.

Hi-Tech Security Solutions: What is happening in terms of remote and mobile identity verification/authentication? As companies try to reduce ‘in-person’ visits and encourage people to transact via the Internet or their mobile devices, how are they trying to ensure the person is who they claim?

Garcia: Adopting a multi-layered approach, combining ID document authentication, biometrics and liveness detection and more, enables banks to reconcile security, compliance and user experience.

For example, a bank would typically mix different technologies and methods in their processes, depending on the level of security required for respective applications/requests. Some banks might agree that a PIN code might be secure enough to give access to an account balance, but a combination of face and code might be preferred for transfer of a large amount of money. In addition to that, banks might limit sensitive transactions to pre-approved devices only.

Hi-Tech Security Solutions: What about privacy? Should we give up the idea that we have any? If not, how can we retain some privacy without negatively impacting security? How does the industry support privacy while still producing identity technologies?

Garcia: People have a right to their own privacy and when it comes to facial recognition and biometrics, they need to be assured that a proper policy framework is in place to safeguard their data and restrict who has access to it and how it can be used. Public and private entities have to collaborate to define this regulatory framework.

The solutions developed by IDEMIA incorporate privacy by design principles. This protects consumers and guarantees the highest possible level of data protection that can be used for identity verification and authentication technologies.

Security and respect of data privacy are in the DNA of IDEMIA. As such, our biometric access control products comply with a wide range of industry and privacy regulation, including the recently adopted GDPR, the European data regulatory framework. This places the end-user at the centre of all consideration. Our systems only keep absolutely necessary information required in an encrypted form, called a template, which cannot be reverse engineered to recreate a face or a fingerprint and can be deleted on demand. To add to that, it is important to offer an end-to-end encryption solution to ensure that data remains safe.

Nicolas is the sales director for biometrics terminals at IDEMIA, leading the business in the Middle East and Africa region. An expert in the topic of biometric access technology, Nicolas also penned a book explaining the technology terms to the man on the street.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Proactive strategies against payment fraud
Financial (Industry) Security Services & Risk Management
Amid a spate of high-profile payment fraud cases in South Africa, the need for robust fraud payment prevention measures has never been more apparent, says Ryan Mer, CEO of eftsure Africa.

Understanding the power of digital identity
Access Control & Identity Management Security Services & Risk Management Financial (Industry)
The way we perceive business flourishing is undergoing a paradigm shift, as digital identity and consumer consent redefine the dynamics of transactions, says Shanaaz Trethewey.

Access & identity expectations for 2024
Technews Publishing IDEMIA ZKTeco Gallagher Salto Systems Africa Regal Distributors SA Reditron Editor's Choice Access Control & Identity Management Information Security AI & Data Analytics
What does 2024 have in store for the access and identity industry? SMART Security Solutions asked several industry players for their brief thoughts on what they expect this year.

Access and identity in 2024
Technews Publishing Gallagher HID Global IDEMIA Ideco Biometrics Enkulu Technologies neaMetrics Editor's Choice Access Control & Identity Management Integrated Solutions
SMART Security Solutions hosted a round table discussion with various players in the access and identity market, to find out what they experienced in the last year, as well as their expectations for 2024.

Protect your financial assets from unknown online threats
Products & Solutions Information Security Financial (Industry)
Malicious actors employ a myriad of sophisticated techniques, such as hacking, phishing, spamming, card theft, online fraud, vishing, and keylogging, among others, to exploit unsuspecting individuals and gain unauthorised access to their financial resources.

Is AI the game-changer for streamlining anti-money laundering compliance?
Financial (Industry) Security Services & Risk Management
In the aftermath of South Africa's recent grey listing, companies are now confronted with the imperative to address eight identified strategic deficiencies, while simultaneously reducing their financial crime risk through anti-money laundering compliance processes.

FutureBank and IDVerse partner to fight cybercrime
Information Security Financial (Industry)
Generative AI is breeding different fraud types, and cybercrime is predicted to become the biggest economy in the world in the next 18 months. FutureBank and IDVerse have joined forces to keep their customers safe.

Capitec installs Speedgate turnstiles
Turnstar Systems Financial (Industry) Access Control & Identity Management Products & Solutions
Capitec’s Head office in Cape Town recently took its security measures to the next level with the installation of three Speedgate secure lanes manufactured and installed by Turnstar Systems.

Banking the unbanked comes with security risks
Financial (Industry) Security Services & Risk Management
As grim as it was, the pandemic of recent years and its resultant global economic crisis were a prime catalyst for record number of first-time bank users, the previously unbanked.

Combating South African financial crime with RegTech
Financial (Industry) Security Services & Risk Management
RegTech South Africa is an emerging and dynamic industry with new regulations being consistently added and the need for compliance being more important than ever. With the recent Greylist announcement of South Africa, by FATF, compliance with international standards and regulations cannot be ignored.