Is Identity Proofing and Authentication Right for My Industry?
by Conor White, President, New Industries
November 8, 2023
–The combination of security and convenience inherent with biometrics-based identity proofing and authentication makes it a very attractive strategy for businesses across industries.
–Choosing a digital identity partner, not just a vendor, is critical to ensuring the success of your investment in identity assurance solutions. Aim to choose a partner with a proven track record of experience, innovation, and a customer-first mindset.
–Passwordless MFA (multi-factor authentication) that uses a combination of biometric and device-based factors is the best defense against fraud, data breaches, and UX friction.
–Industries that are highly regulated, like financial services and healthcare, can especially benefit from biometric authentication, as it’s a way to remain compliant with rules and stay secure during risky or sensitive transactions.
The TransUnion 2023 State of Omnichannel Fraud Report found that digital fraud attempts have risen globally by 80% from pre-pandemic levels. In its 2023 U.S. Identity and Fraud Report, Experian reported that consumers feel like they are more of a target for fraud now than ever before, with 64% of respondents citing identity theft as a top concern. The report also found that 70% of businesses said fraud losses have increased in recent years.
One way that many businesses are responding to both increased fraud and customer security expectations is by moving from knowledge-based identity authentication (KBA) factors, such as passwords, to biometrics-based digital identity proofing and authentication that uses factors like fingerprints, facial scans, and voice prints.
It all starts with identity proofing. When customers create an account, or onboard, to a service provider, they establish their identity with that organization. An example of biometric identity proofing would comprise of the customer being asked to provide a government-issued photo ID, such as a passport or driver’s license, and then being prompted to take a selfie.
In the background, AI-powered algorithms compare the identifying points of the face in the ID and in the selfie to confirm that the person opening the account or accessing services is truly who they claim to be. The identity system performs a liveness check on the selfie to confirm that it’s authentic and not a previously taken photo or a still captured from a video – both of which are a form of fraud known as a presentation attack. Generative AI-based deepfakes are today’s most well-known, and most potent, form of presentation attack.
Identity proofing can also check the person’s facial biometric and ID image against databases of known fraudsters (known as watchlists) in just a few seconds, increasing security without slowing down the onboarding process.
During identity proofing, the customer also establishes the factors they will use to authenticate themselves whenever they want to access the account in the future. Biometric factors could include a facial scan, a fingerprint, a voice print, or behavioral biometric factors, where the customer is identified through unique patterns in behaviors such as typing, moving a mouse, or swiping between screens.
It’s not just customer identities that need to be secured and authenticated, though. Biometric authentication also improves the security of critical systems and information access for employees, removing any friction for those whose roles require them to have sensitive data privileges.
Biometrics increases security because, unlike KBA factors, there’s nothing to lose, forget, or steal; the biometric templates created during the onboarding or identity authentication processes (for companies that only require quick authentication of users) are also immune to reverse engineering by a fraudster.
This combination of security and convenience makes biometrics very attractive for businesses in a variety of industries that find themselves under increasing attack in the post-pandemic era.
A Daon study, The Zero Trust Consumer Era, showed that 81% of consumers have online accounts with banks, 67% have online accounts with credit cards, and 64% have online accounts with financial apps. Respondents to the U.S. News and World Report 2023 Identity Theft Survey said their biggest concern was a financial account takeover (ATO) – “more so than a home break-in.” In its 2022 True Cost of FraudTM Study, LexisNexis® Risk Solutions reported that fraud had increased 57% for U.S. investment firms and 64% for U.S. credit lenders, and that the cost of fraud was highest for U.S. banks, where every $1 of fraud loss actually costs $4.36.
Because financial institutions have long needed to stay ahead of both (cyber)criminals and changing regulations around account security and online transactions, this was naturally the first industry to widely adopt biometrics-based digital identity verification solutions.
Today, both single-factor and multi-factor authentication (MFA) processes that are powered by biometrics help banks comply with the strict customer identification elements of both Know Your Customer (KYC) and Anti-Money Laundering (AML) rules. Banks can layer on combinations of factors, such as a fingerprint and a PIN or an OTP (one-time password) and a facial scan, to create additional security for high-value transactions while also keeping the process simple for their legitimate customers.
Financial services companies are amongst the most highly regulated organizations. Choosing an identity assurance partner, and not simply a vendor, is key to remaining compliant, competitive, and customer-friendly in the rapidly changing landscape of digital finance and banking.
Many government agencies and public sector organizations have turned to biometric identity verification and authentication to establish and confirm citizen identities for activities ranging from immigration and border security to accessing various benefit and pension programs.
For these scenarios, today’s latest passports contain biometric information in RFID (Radio Frequency IDentification), chips that are read when the traveler slides the passport into a scanner. The traveler also looks at a screen while a facial scan is taken. Capturing a face biometric to confirm identity is simple for the passenger, only takes a few minutes, and greatly improves border security, as the person’s biometric template is unique to them and impervious to fraud.
Near-field communication, or NFC, is the technology that allows mobile phone users to pay for, unlock, and otherwise gain access to data, products, and services with extreme security and ease. NFC technology is similar to RFID; however, it takes place within a much smaller range, usually when a device is held within a few centimeters of a targeted receiver.
Near-field communication is a widely applicable technology that the public sector is already taking advantage of across borders and for numerous citizen services. NFC can also allow applications to read the data in the RFID chips present in ePassports, eIDs, and other documents, primarily through smartphones, to enhance the know-your-customer (KYC) experience.
The Center for Democracy and Technology has reported that, to address the increase in benefits fraud and waste that occurred during the pandemic, “many agencies turned to biometric-based systems, both to help more effectively identify fraudulent actors to avoid paying out erroneous benefits or avoid providing services to ineligible individuals and more quickly verify legitimate applicants…”
With so many activities being done online, and many agencies enmeshed in regulatory environments that require security of citizen information, the push is on in many countries for the digitization of national IDs.
The Digital Watch Observatory of the Geneva Internet Platform estimates that by the end of 2024, governments globally will have issued 5 billion digital IDs, primarily in Asia and Africa. According to Forbes, the EU’s eIDAS 2.0 digital identity mandate went into effect in September, with the goal of ensuring that at least 80% of citizens can access public services using a digital ID by 2030.
In the U.S., the move toward the ease and security of digital identity has begun with driver’s licenses in several states. In June, Route Fifty reported that “at least 17 states allow for digital licenses,” including Maryland, Arizona, Colorado, Georgia, Louisiana, Mississippi, Hawaii, Ohio, and Utah.
As the adoption of biometrics ramps up in the public sector on an international scale, organizations are turning to trusted identity assurance partners to help them futureproof their services for the security and well-being of citizens everywhere.
People use their smart devices to shop, access accounts, entertain themselves, and more – increasingly, much, much more with each next step in digitization. For some users, a smartphone is the only conduit for them to access the internet. Smartphones and other smart devices also play an important role in multi-factor authentication (MFA) security, where, for example, a one-time code is sent to the customer’s phone to help them prove who they are after they scan their fingerprint or take a selfie (face biometric).
For criminals, a smartphone contains a treasure trove of data and PII (personally identifiable information), making it more important than ever for telecom providers to enable their customers to better secure their devices and the way they access telecom services.
One of the largest threats the industry faces is SIM swap attacks, which allow fraudsters to take control of another person’s phone number and account without having possession of the physical phone. This type of fraud has risen so much recently that, in February 2022, the FBI issued an public service alert, citing losses of over $68 million in 2021, compared to losses of $12 million in 2020.
The SIM (subscriber identification module) is the smart card that stores owner information on a mobile phone that, when a user would traditionally buy a new phone, is easily moved over from the old phone. Scammers took (and still take) advantage of this ease by calling telecom providers and using personal information, including answers to security questions they have stolen or bought on the dark web, to convince (known as social engineering) the agent that they were the real customer in genuine possession of their phone. If conned, the telecom agent activated the criminal’s SIM card, thereby granting them access to the real user’s data and accounts – and the ability to get around MFA security by resetting the factors.
eSIM fraud is a symptom of the modern-day telco industry’s rapid expansion – and the rapid growth of AI and other forms of sophisticated technology that fraudsters exploit. eSIMs are electronic (not physical) SIM cards and are now being widely used in smartphones built by the biggest names in smart devices, including Apple, Google, Samsung, and Motorola.
eSIM devices have many benefits. The first is convenience; by not needing a SIM card, consumers avoid having to visit an operator’s physical location or wait for a chip to come in the mail in order to add or upgrade mobile devices. eSIMs can be remotely activated with ease and can connect customers to a network in minutes.
Using eSIMs also makes switching between networks an easier task for consumers. Because a physical SIM card connected to the network isn’t necessary, customers have more freedom and flexibility to select the best operator for them while keeping existing hardware.
The biggest challenge for operators offering eSIMs is that, by increasing the frequency of remote activation, the opportunity for bad actors to commit identity fraud at the point of activation, like SIM-swapping, is also naturally increased. This is especially true for operators that continue to rely on legacy security measures, like usernames, passwords, SMS OTPs (one-time passwords), or call center-based
services to onboard and authenticate their customers. Legacy, or knowledge-based authentication factors, drastically raise the potential for fraud, which begins as soon as a customer signs up for a mobile service.
When a customer activates a device, operators must be able to verify their identity accurately, securely, and quickly. To do this with the certainty demanded by today’s digital landscape and increasingly leery consumers, a comprehensive, futureproof biometric identity proofing and verification solution is necessary.
Cybertalk.org wrote in August that, according to CISA (the U.S. government’s Cybersecurity and Infrastructure Security Agency), telecom providers are not adequately protecting consumers from SIM swapping. “The agency recommends that public and private organizations adopt passwordless authentication and zero trust architecture in order to reduce the future of SIM swapping incidents.”
Biometrics-based digital identity authentication enables providers to go passwordless, reducing the industry’s vulnerability to SIM swapping attacks. For example, instead of answers to security questions, the person requesting the SIM swap can be prompted to provide a selfie, an essentially fraud-proof biometric factor which can be checked for liveness and compared to the legitimate customer’s image on file.
The healthcare industry is a prime target for identity fraud due to two main vulnerabilities. First, healthcare data breaches expose valuable patient data that can be used to commit additional crimes. For example, according to U.S. News and World Reports, “In July 2023, HCA Healthcare announced personal data from some 11 million patients (about twice the population of Arizona) was compromised in a breach that exposed their names, dates of birth, email, and phone numbers.”
Second, in identity systems with so many moving parts, there are ample opportunities for patient and employee fraud and error to occur. Types of misuse include everything from family members using each other’s insurance credentials to employees using IDs to criminally access drugs to things that affect the patient’s standard of care, such as remote staff misrepresenting themselves or patients receiving the wrong drugs.
The Verizon 2022 Data Breach Investigations Report found that 82% of data breaches involved the human element: “Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike.”
The implementation of digital IDs in healthcare does have a myriad of positive uses, though, as well: they can, importantly, allow new opportunities for people to participate in clinical trials and expand the reach of telehealth, making healthcare more accessible and inclusive of wider populations.
With biometric authentication, insurance cards and employee or patient credentials can’t be shared or used even if they are somehow stolen. By using unique physical or morphological characteristics that are unchanging and undeniably individual to each person, biometric authentication ensures that only the true owner of data can access it. It also establishes and verifies the identity of a patient or a provider during the course of care, which can easily and more securely match patients to their electronic records, thus reducing errors and heading off potential lawsuits.
Shopify estimates the global value of online retail will total $6.3 trillion this year. This includes 13.9% of the $354.80 billion luxury goods market. At the same time, according to Juniper Research, the total cost of online fraud to merchants will exceed $48 billion in 2023.
Digital identity proofing and authentication backed by biometrics provides better security for online shopping, especially for luxury and other costly merchandise. It ensures the person opening an account or making a purchase is who they say they are, which also has benefits for online sales of age-restricted products.
This digital solution has similar benefits in brick-and-mortar business settings, too, because organizations can now (and many are already) enable secure, frictionless self-service of age-restricted offerings, saving customers time and the service provider money. Biometric identity assurance also prevents the sharing of membership-based shopping credentials, a hurdle that has been both difficult and costly for retail companies across the globe to overcome.
Today’s vehicles are more sophisticated than ever before. Cars are becoming increasingly automated and dependent on innovative software and hardware. Manufacturers that implement digital identity authentication that incorporates biometrics are improving car security and owner convenience.
There are already SDVs (software-defined vehicles) that let owners use their fingerprint to unlock the car and start the engine. The use of iris and facial scans for this purpose is also being explored. This deployment of biometrics stops would-be carjackers before they can start; even if a door is left unlocked and the thief gets into the car, they can’t start the car without the correct biometric credentials.
Biometrics also offers the opportunity to increase accessibility for owners with mobility issues and disabilities. For example, car users could control a properly equipped car with their voice, increasing the ease with which they get where they want to go and securing their adapted vehicle against theft.
As the number of driverless cars increases, biometrics can also protect access to car control systems with valid user credentials that can’t be stolen, borrowed, hacked, or easily duplicated.
Software-defined vehicles and the car industry’s adoption of biometric identity assurance systems illustrates only the beginning of how future drivers will benefit from the convenience, security, and cost-savings the technology offers.
Travel & Hospitality
With biometrics, customer experiences across the travel and hospitality industry can be made more secure and more convenient.
The TSA is testing biometrics to streamline traveler experiences in-airport while aiding operational efficiency and enhancing security. Airlines are combining biometric identification with automation for faster check-in and bag drops in airports that have become increasingly crowded. According to OAG, a Spirit Airlines self-bag drop system equipped with biometric photo-matching had an average processing time of 70 seconds per customer, reducing the time spent checking bags by 30%.
Digital identity verification improves security for any business that issues a ticket, from cruises to bus tours, ensuring that a traveler is authentic without diminishing the customer experience.
Hotels are also seeing the benefits of biometrics, from frustration-free self-check-in to a guest’s ability to use their biometric factor throughout their stay to access and pay for services and dining. Additionally, in some hotels, a guest’s fingerprint or facial scan functions as their room key, ensuring only they can open the door and that they’ll never misplace a key during their visit.
This idea is quite popular with guests. The Oracle Hotel 2025 report found that 62% of consumers agreed that their experience would be improved with biometric technology.
In an industry where time is always of the essence, biometric identity proofing and authentication can help your company and its customers save hours, not seconds – not to mention money.
A solution for every industry
No matter what industry you’re in, your customers and your business have valuable data and accounts that need to be protected. Moving to biometrics-based digital identity proofing and authentication for both customers and employees can reduce the likelihood of security breaches and the cost of identity fraud, all while improving customer experience and creating happier users.
See how Daon xProof™ can help you move your digital identity assurance into a more secure, biometrics-based future.