Use Cases

The IdentityX platform delivers the world’s most powerful – and flexible – biometric identity journeys, spanning all factors, channels, encounters, and milestones of the customer life cycle. From seamless digital onboarding to frictionless user authentication, two factor authentication, and account recovery, our customers can leverage a wide range of user authentication methods, including several biometric choices, to meet the demands of any use case, compliance requirement, or business imperative.

Though the possibilities are endless, here are a few of the more common use cases below:

 

  • BIOMETRIC LOGIN: IdentityX allows organizations to offer their users biometrics as a simple alternative to passwords when accessing their account online.
  • TWO FACTOR AUTHENTICATION AND MULTI FACTOR AUTHENTICATION: IdentityX supports using multiple biometric and non-biometric factors. Combining factors – including something a user HAS (a device), something the user KNOWS (a PIN) and something the user IS (a biometric) -- provides a very strong yet convenient form of user authentication.
  • STEP UP AUTHENTICATION: IdentityX provides options for stronger user authentication methods when transactions require increasing levels of assurance.
  • ADAPTIVE AUTHENTICATION: IdentityX takes in signals from various sub-systems, which are then combined and analyzed to determine the “risk” of a given transaction and the appropriate level of identity assurance, commensurate with that risk.
  • OUT OF BAND AUTHENTICATION: IdentityX supports an out-of-band use case, which separates the place where authentication data is captured from the application that requires the authentication (typically using a different device). This increases overall security, as a hacker would have to simultaneously compromise both the application and the outside authentication channel.
  • OMNI-CHANNEL AUTHENTICATION (Out-of-Band): IdentityX allows a single mobile app to authenticate users across different contact points and channels (e.g., web browsers, ATMs, kiosks, call centers, in-branch terminals, retail checkouts, etc.).
  • OMNI-CHANNEL AUTHENTICATION (In-Band): IdentityX enables omni-channel solutions using in-band apps that share common enrollment data (enroll once – use anywhere).
  • NEXT GENERATION WEB AUTHENTICATION: IdentityX supports FIDO 2, with advanced authentication techniques enabled in standard browsers such as Chrome, Edge and Firefox.
  • DIGITAL ONBOARDING: IdentityX enables full compliance with Know-your-Customer (KYC) and Anti-Money Laundering (AML) rules and regulations, without ever requiring an applicant to appear in person or to mail physical documents.
  • CALL CENTER INTEGRATION: IdentityX enables biometric authentication for contact centers, via in-band or out-of-band models and supports voice recognition through POTS, VoIP, or VoLTE.
  • FRAUD REDUCTION: IdentityX enables many, varied use cases (be they Mobile Banking, Card-Not-Present, Time-and-Attendance, Digital Subscriptions, Proof-of-Life, or others) and combats fraud through biometric user authentication and, strong two factor authentication and multi factor authentication.

For all use cases, organizations should provide options that work with the many different devices customers use to access digital services (smartphones, tablets, PCs, IoT devices) and that support different means of interaction (e.g., contact centers, self-service scenarios, etc.).

 

IdentityX allows organizations to deploy strong yet convenient user authentication, achieved by pairing a biometric factor with the possession of a registered device, to open secured functions of an organization’s mobile app. This use case is often needed to replace a password-based authentication method. Passwords are difficult to type accurately on mobile phones and can be easily forgotten, stolen or compromised in a password database breach. Biometric options, used in conjunction with device authentication, are much faster for users and significantly more secure.

One typical approach is to allow users to choose between face, voice, fingerprint or another on-device biometric for login. Many organizations choose to make the biometric factors optional and may offer a PIN option as a fallback. This approach allows customers to select their preferred log in method and provides a biometric option for nearly all customers, regardless of device type.

 

Solutions Biometric login - Use Cases – User Authentication, Two Factor Authentication

 

Strong multi factor authentication combines two or more independent factors – including something the user HAS (a key of some sort), something the user KNOWS (a PIN or other secret), and/or something the user IS (a biometric).

Systems that rely on a single factor are more vulnerable to attack. Passwords can be hacked or guessed, and tokens/keys can be lost or stolen. In two factor and multi factor authentication (MFA), the system requires a user to provide two or more factors (from different categories), which leads to much higher confidence in the identity of the user and a decreased chance of account hacking.
IdentityX installs a unique certificate on the user’s mobile device (something the user has), then layers on something the user knows (a PIN or one-time-password), plus a biometric (face, voice, palm, finger, or behavioral -- something the user is), to create a strong form of two factor authentication or multi factor authentication. 

Many organizations may require a stronger form of authentication when a customer initiates a high-risk transaction (e.g., adding a new external account for money transfers), when making a high-value payment, or when the organization’s fraud/risk detection systems detect unusual activity. Where a customer is re-authenticated while attempting such a transaction, this is called “Step-up” authentication, as it involves asking the customer to rise to a higher threshold of authentication.

Biometrics provide a convenient and secure tool for implementing step-up authentication, and doing so allows an organization to reduce initial barriers for low-risk transactions and to offer features with varying risk levels within the same app. By taking advantage of step-up authentication, an organization can provide a better mobile experience for their customers – which is increasingly becoming an important differentiator across industries.

The method of step-up authentication will typically differ from that which is used for initial login and can combine multiple factors and methods (all controllable by the organization using IdentityX) to create any desired authentication flow.

Adaptive authentication is similar to step-up authentication in that the factors required for a given transaction are determined by the risk in the transaction. In step-up authentication, risk is determined by the monetary value of the transaction or the importance of the function being attempted (e.g., changing contact information could be a hacking attempt). The threshold at which step-up authentication occurs is pre-configured or dynamically assigned in the system.

In adaptive authentication, various pieces of information about the user and the transaction are aggregated and analyzed to assess risk. Such information might include:

  • Is the transaction originating from a device associated with this account?
  • Is the transaction originating from a location normally associated with this account?
  • Is this transaction occurring on a day and time that matches when the user typically attempts this type of transaction?
  • Is the value of this transaction unusual for this user or for this transaction type?
  • Has the user’s mobile device been rooted or jailbroken?

Much of the information analyzed has to do with patterns of behavior for a given user. Sudden or dramatic changes in behavior may indicate fraudulent activity, so stronger forms of authentication might be invoked, and the user might be given fewer attempts to re-try after a failed attempt.

Many of our IdentityX customers utilize fraud detection tools, rules engines, risk engines or orchestration platforms to support automated, risk-based decision analysis for the authorization of transactions of interest (like transfers and payments). The IdentityX platform was designed to easily integrate with all of these tools, including Ping Identity, CA Solutions, ForgeRock, Nice Actimize, and many others.

 

In an out-of-band scenario, a transaction is initiated in one channel (perhaps the browser on your laptop), then the transaction is approved via another channel (perhaps an app on your mobile device). Security is significantly enhanced as any hacker would need to simultaneously compromise both your laptop’s connection to the internet and your mobile device’s connection. This like a financial institution sending you a new credit card in the mail and then having you call a phone number to activate the card. A fraudster must first intercept the card from your mailbox, then gain access to your telephone to activate it.

IdentityX can generate push notifications and QR codes or use app links or other means of prompting the customer to authenticate, and the user experience is fast and frictionless. It is also possible to use one-time passwords, if preferred, and offline authentication is fully supported.

 

Solutions Process - Out-of-Band Authentication - Use Cases – User Authentication, Two Factor Authentication

 

Using the out-of-band approach described above, organizations can give their customers a nearly identical authentication experience when they interact with your business in different ways. Any transaction, whether initiated via browser, contact center, kiosk or physical location, can be authenticated with an out-of-band push notification to the user’s mobile device.

This allows the customer’s mobile device to become the single device for authentication. By combining push notifications with biometric user authentication, organizations achieve a two factor authentication or multi-factor authentication process with a compelling user experience. All of the IdentityX biometric options are available in this use case and can be selected in various combinations, depending on the risks associated with each transaction.

With IdentityX, out-of-band authentication can be incorporated into an organization’s own mobile app, meaning customers need not download multiple apps.

Some examples of where this approach is most useful include:

  • Web application (e.g., online banking, account management, payments)
  • Transaction confirmation -- addressing “man in the middle” attacks and establishing a secure record (e.g. PSD2 Dynamic Linking)
  • Contact centers, with either a live agent or interactive voice response (IVR) system

 

Solutions Omni channel authentication - Omni-Channel Authentication (Out-of-Band) - Use Cases – User Authentication, Two Factor Authentication
 

Organizations can quickly and easily provide their users with a consistent, high-quality user authentication experience across all channels with the use of a single, organization-branded authentication app.

However, in many instances, an organization may want to imbed two factor authentication or multi factor authentication (MFA) directly into a web app, interactive voice response (IVR) system, kiosk, or elsewhere. In such cases, IdentityX is perfectly suited to providing omni-channel authentication, in-band. Moreover, we’re strong believers in the notion of “enroll once – authenticate anywhere.” That is, once a user registers their device and enrolls their biometrics the first time, this information can be used to authenticate them in any situation or channel, with no need to separately enroll.

A simple example of this is as follows:

An organization enables voice biometric authentication for both mobile login as well as contact center authentication. Users enroll (once) with the organization, and their voice samples are securely stored in a central server. When a user wants to access their account via mobile app, they speak the passphrase to their mobile device, which compares their voice to the registration sample, and access is permitted. Now, when the user calls the contact center via any telephonic device (mobile or landline), they can speak the same passphrase to an IVR, which again compares their voice to the registration sample and approves access. Similarly, the user could speak the passphrase into an ATM, kiosk, or virtually any device with a microphone and be authenticated against the same, central repository of voice samples. 

Traditionally, customers using web applications in desktop or laptop browsers have faced a host of security challenges not seen in the mobile channel. While out-of-band authentication to a mobile device works well here – and the process is quite fast and streamlined -- it does create a minor interruption in the customer’s use of the web app. Thus, there are now a growing range of alternatives that can provide the same strong authentication for web apps, but with less inconvenience for the user.

IdentityX supports the W3C Web Authentication (WebAuthn) standard, which is part of FIDO 2. This standard can be used in apps running in the Chrome, Edge and Firefox browsers. It provides for the ability to register and then authenticate the user’s device in browser applications, providing a stronger authentication within the app.

Initially, users will be able to use FIDO U2F tokens, which are simple authentication devices available from multiple vendors. Once activated they will perform a cryptographic operation to sign data that has been presented to them. (The tokens are registered to an individual using a secure registration process).

Other authentication options will become available over time using the FIDO 2 standard as further browser support is added. We expect these to enable options that utilize a device’s key store (e.g., on mobile devices), which will remove the need for a U2F token. It will also be possible for apps running on a PC or Mac to utilize a mobile device as the token using Bluetooth or NFC.

These options provide further flexibility across the different ways that customers access digital services, and all will be supported by IdentityX.

 

IdentityX provides streamlined functionality that helps internet-only and other organizations comply with KYC/AML rules during account opening, customer onboarding or other similar scenarios. Face biometric authentication is particularly useful when verifying the identity of a customer with a photo ID document.

Furthermore, when IdentityX is involved in the onboarding and credential issuance, there is a strong binding of the identity of the person who was proofed and the person who was issued the credential. That is, it solves the problem of knowing that the person now enrolling in IdentityX is the same person we proofed as part of the onboarding process.

IdentityX supports face authentication in this scenario, with a wide range of liveness detection methods. See our Digital Onboarding solution page for more.

In order to support authentication of callers to an organization’s contact center, IdentityX can be used in an in-band or out-of-band configuration.

In an out-of-band scenario, virtually any supported biometric modality can be used for authentication. However, for in-band that allows user authentication over landlines or “plain old phone lines” (POTS), voice biometric authentication is the only realistic choice.

In such cases, IdentityX will compare a customer’s live voice sample (captured by either a human agent or an IVR system) to the voice sample recorded during enrollment. If the organization also has an IdentityX-enabled mobile app, the voice samples collected during the app enrollment can be used for this comparison, with no need to enroll separately for the contact center.

The use of biometric authentication allows organizations to avoid the need for knowledge-based authentication, which can be inconvenient for customers and time-consuming (i.e., costly) for contact centers.

Another option for providing convenient access is the use of an in-app-initiated voice call to the contact center. While using the mobile app (which is protected by strong two factor authentication or multi factor authentication), customers with unanswered questions can click on a “help” icon, which initiates a VOIP call to the contact center with no need for further authentication. Better still, the app can send information about what the user was doing in the app, thus giving the contact center agent immediate context for the purpose of the call.

Daon IdentityX has proven effective in reducing fraud in a wide range of biometric authentication use cases. Some of these include:

  • Proof-of-Life: Daon’s technology can be used in benefits administration programs to combat fraud by asking benefit recipients to periodically authenticate themselves, biometrically.
  • Time-and-Attendance: Biometric authentication, coupled with geolocation capabilities of IdentityX can be used to verify that a specific person was in a certain location at a particular time. This could apply to home care providers, transfer services, home appraisers, and many others.
  • Tax Compliance: Similar to the above use case, customers have used IdentityX to track the movement of their consultants across the EU to ensure taxable income is reported in the jurisdiction where it is earned.
  • Card-Not-Present: In payment networks, online card-not-present (CNP) transactions represent the highest risk of fraud. By biometrically authenticating the user, a significant reduction in fraud is achieved.
  • Digital Subscriptions: Significant fraud exists in the provision of digital services. An office or other group purchases one subscription, then shares the credentials widely, defrauding the service provider. This practice can be significantly curtailed by biometrically authenticating digital subscribers.

Discover more about Daon IdentityX use cases authentication

Whether you're seeking a better way to onboard users, need to deliver better compliance with security regulations, or want to encourage more app use or self-service transactions, Daon IdentityX can help. To find out about more use cases, or to discuss your individual requirements, get in touch with us.