As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Stephen Ritter of Mitek Systems examines why it might be an end of an era for MFA, and why the new frontier is multimodal biometrics.
The statistics are alarming.
Identity fraud losses in 2020 totaled $56 billion – that’s billions with a B – according to Javelin Strategy & Research, an astounding number that includes $49 billion in identity fraud scams, a category that Javelin measured for the first time in its 2021 Identity Fraud Study.
This new category includes instances when online criminals directly target consumers, often through a text, call, or email, rather than by obtaining a person’s personal information at the institutional level, a change in tactics in recent years that has significant consequences for both individuals and the companies they do business with. The consumer, Javelin says, has become “the path of least resistance.”
Consumers aren’t the only ones affected by this change in approach. It has significantly altered the advice we give our banking and financial services customers, as well.
Moving Multi-Factor to Multimodal
Remember the early days of online accounts when account security consisted of a username and a password? We could access our accounts as long as we entered those two bits of information. However, with the advent of software capable of cracking most passwords in minutes, if not seconds, savvy companies moved to multi-factor authentication, so-called because it requires more than two “factors” to complete an action.
- In addition to a username and password, a bank or financial institution may add a one-time passcode (OTP), often six randomly generated numbers that are texted to us. We then enter the OTP to complete the access protocol.
- A brokerage may provide a dongle, which must be inserted into a laptop or phone as part of the sign-in process.
- An organization may add a biometric to the mix, such as a fingerprint.
While an MFA system can be annoying, it is a significant step up in security – so much so that I will interrupt myself here to urge everyone within the sound of my words: if you have not yet enabled MFA on all your accounts that offer it, stop reading right now (at least momentarily) and go enable it. It is that much of an improvement over user/password-level security.
Unfortunately, however, even with the addition of a single biometric, whether an iris scan, fingerprint, or voice print, MFA is not enough to reliably stop today’s online criminals.
Enter Multimodal Biometrics
We have discovered that including two different types of biometrics in an identity verification system provides the foundation for a new level of security. Identity verification systems with two or more types of biometric modalities – perhaps face and voice, or an eye scan and a fingerprint – need only one more factor to offer the strongest identity verification protection available today.
The final missing piece is “liveness detection.” Simply put, liveness detection systems can distinguish the face of a live person from a manipulated image of that person lifted from a photo or online bio. They can tell the difference between a live person’s fingerprint and a photocopy of that same person’s fingerprint. They are essential to a robust security system because they can discern the difference between a live person’s biometrics and spoofed IDs or deep fakes.
Identity verification platforms with multi-modal biometrics and liveness detection offer next-generation levels of security. Even better, platforms now entering the market combine multi-modal biometrics and liveness detection with a frictionless, easy-to-use interface. With some, customers simply look into their phones or laptop cameras and say a phrase to easily and securely access an online account. This is the conversation my colleagues and I are having with our banking and financial institution customers.
And here’s the exciting part: because these new platforms are affordable and easy to deploy, with little or no developer time required, the level of security previously accessible only by large banks is now available to community banks, credit unions, and other types of financial institutions, from crypto exchanges to online gaming companies. Even smaller institutions can be up and running on the new security platform in a matter of hours.
Security and Customer Convenience Together at Last
Whether you are a community bank or a global banking enterprise, now may be the time to explore this new convergence of security and convenience. Questions to guide your discussion with your technology partners or vendors:
- Does this system use multimodal biometrics?
- What are the capabilities of its liveness detection system?
- How much development time will I need to assign? (Best answer: little or none)
- How long will it take to deploy?
- What kind of customer experience will the solution offer?
- Can you demo it for us?
- What is the ROI?
The path to secure online systems that are convenient for both banks and customers to use and deploy has been winding down and will continue to evolve, as the online arms race continues. The good news is that we are now entering a world in which we no longer need to choose between the level of security that protects our companies and the ease of use that allows us to win and retain customers.
- Multimodal Biometrics: The New Frontier Against Fraud - November 14, 2022