Use Cases

IdentityX is a platform that allows organizations to provide faster, easier and more secure authentication for customers. It does so by offering a range of authentication methods, including several biometric choices. This means that there are options that suit a variety of situations where customers need to confirm their identity.

Common use cases include:

  • BIOMETRIC LOGIN: IdentityX allows organizations to offer their users biometrics as a simple alternative to passwords when accessing their account online.
  • STRONG, MULTI-FACTOR AUTHENTICATION: IdentityX supports MFA, using multiple factors: something a user HAS (a device), something the user KNOWS (a PIN) and something the user IS (a biometric) to provide a very strong, yet convenient and easy to use form of authentication.
  • STEP UP AUTH: IdentityX enables options for more or stronger authentication methods for transactions requiring higher levels of assurance
  • ADAPTIVE AUTH: IdentityX supports using “signals” from various sub-systems which are then combined and analyzed to determine the “risk” in a given transaction and then require the appropriate level of identity assurance during authentication.
  • OUT OF BAND: IdentityX supports out-of-band authentication: this separates the place where authentication data is captured from the application that requires authentication (typically using a different device). This increases overall security as a hacker would have to simultaneously compromise both the application and the authentication channel.
  • OMNI-CHANNEL (Out-of-Band): IdentityX enables a single mobile app to authenticate users across different contact points and channels (e.g. internet browsers, ATMs, kiosks, call centers, in-branch terminals, retail checkouts).
  • OMNI-CHANNEL (In-Band): IdentityX also supports omni-channel solutions, using in-band apps that share common enrollment data (enroll once – use anywhere).
  • NEXT GENERATION WEB AUTHENTICATION: Traditional authentication methods on desktop and laptop devices have been limited to username and password. With the advent of FIDO 2.0, advanced authentication techniques will be enabled in standard browsers such as Chrome, Edge and Firefox. IdentityX supports the FIDO 2.0 standard.
  • DIGITAL ONBOARDING: IdentityX DoB functionality enables branchless organizations, such as internet only banks, to comply with Know-your-Customer (KYC) and Anti-Money Laundering (AML) rules and regulations, without requiring the applicant to appear in person or to mail physical documents.
  • CALL CENTER INTEGRATION: IdentityX enables biometric authentication with call centers via in-band or out-of-band models and even supports voice-over-IP.
  • FRAUD REDUCTION: Be it Mobile Banking, Card-Not-Present, Time-and-Attendance, Digital Subscriptions or Proof-of-Life, IdentityX enables many, varied authentication use cases and combats fraud through biometric authentication and strong multi-factor authentication.

For all use cases, organizations should provide options that work with the different devices that customers use to access digital services (smartphones, tablets, PCs, IoT devices) and that support different means of interaction (e.g., contact centers, self-service scenarios.)

IdentityX allows organizations to enable convenient and strong authentication, using a biometric with a device that is registered to the user, to open secured functions of an organization’s mobile app, often in replacement of a password-based authentication method. Passwords are difficult to type accurately on a mobile phone and can also easily be forgotten, stolen or compromised in password database thefts. Biometric options, used in conjunction with device authentication, are much quicker for users and can also be considered more secure than a password alone.

The most typical approach is to allow the customer to choose between face, voice, palm or (if available on the device) fingerprint or another on-device biometric to login. Many organizations choose to make a biometric optional and may offer a PIN option as a fall back. This approach allows customers to select their favorite method of logging in, offers a biometric option to almost all customers regardless of device.

Solutions Biometric login

Strong multi-factor authentication combines two or more independent factors; including something the user has (a key of some sort), something the user knows (a PIN or some other knowledge) , or something the user is (a biometric).

Systems that rely on a single factor are more vulnerable to attack. Passwords can be hacked or guessed, and tokens/keys can be stolen. In multi-factor authentication (MFA) the system requires the user to provide two or more factors (from different categories) which leads to much higher confidence in the identity of the user and decreases the chance of account hacks.

With a unique certificate installed on the user’s mobile device (something the user has), IdentityX then layers on something the user knows (a PIN or one-time-password), plus biometrics (face, voice, palm, finger, or behavioral --something the user is), to create a very strong form of authentication.

Many organizations may require a stronger form of authentication when a customer initiates a higher-risk transaction, e.g., adding a new external account for payments, making a high-value payment or where an organization’s fraud/risk detection system detects unusual activity. Where a customer is re-authenticated when doing such a transaction, this can be called “Step up” authentication, since it involves asking the customer to be authenticated to a higher level.

Biometrics provide a convenient and secure tool for implementing step-up authentication. This allows organizations to reduce restrictions or offer additional features within an app. The organization can provide a better mobile experience for their customers, which is increasingly becoming an important differentiator across industries.

The method of step-up authentication will typically differ from that used for initial login and can use stronger methods controllable by the organization using IdentityX and/or a combination of factors.

Adaptive authentication is similar to Step-Up Authentication in that the factors required for a given transaction are determined by the risk in the transaction. In Step-Up Authentication, risk is determined by the monetary-value of the transaction or the criticality of the function attempted (e.g. changing contact information could be a hacking attempt). The threshold at which step-up authentication occurs is pre-configured or dynamically assigned in the system.

The threshold at which step-up authentication occurs is pre-configured or dynamically assigned in the system

In adaptive authentication various information about the user and the transaction are analyzed to assess risk. Such information could include, for example:

  • Is the transaction originating from a device associated with this account?
  • Is the transaction originating from a location normally associated with this account?
  • Is this transaction occurring on a day and time, that this user typically does this type of transaction?
  • Is the value of this transaction unusual for this user for this type of transaction?
  • Has the user’s mobile device been rooted or jailbroken?

Much of the information analyzed has to do with patterns of behavior for a given user. Sudden or dramatic changes in behavior may indicate fraudulent activity and thus, stronger forms of authentication should be invoked, and the user given fewer attempts to re-try after a failed attempt.

Many of our IdentityX customers utilize fraud detection tools, rules engines, risk engines or orchestration platforms to support automated, risk-based decision analysis for the authorization of transactions of interest (like transfers and payments). The IdentityX platform was designed to easily integrate with all of these tools and has already been implemented with the likes of Ping Identity, CA Solutions, ForgeRock and Nice Actimize, and easily integrates with others.

In an out-of-band scenario, a transaction is initiated in one channel (say, through the browser on your laptop) – then the transaction is approved via another channel (such as an app on your mobile device). Security is significantly enhanced as any would-be-hacker would have to simultaneously compromise both your laptop’s connection to the internet and your mobile device’s connection. This is analogous to a financial institution sending you a new credit card in the mail and then having you call a phone number to activate the card. A fraudster must first intercept the card from your mailbox then gain access to your telephone to activate it.

IdentityX can generate push notifications and QR codes or use app links or other means of prompting the customer to authenticate and make the user experience quick and easy. It is also possible to use one-time passwords if preferred and offline authentication is supported.

Solutions Process

Using the out-of-band approach described above, it is possible to give your customers a nearly identical authentication experience when they interact with your business in different ways. A transaction, whether initiated via a browser, or an ATM, kiosk, call center, or even in-branch can be authenticated with an out-of-band push notification to the user’s mobile device.

This allows the customer’s mobile device to become the single device for authentication. When combined with push notifications and a biometric authentication, this provides a multi-factor authentication approach with a compelling user experience. All of the IdentityX biometric options are available and can be used in various combinations depending on the risk perceived to be associated with the transaction being authenticated.

With IdentityX, out-of-band authentication can be incorporated into an organization’s own mobile app, meaning customers do not need multiple apps, or use a separate Authenticator app if needed.

Some examples of where this approach is useful include:

  • Web application (e.g., online banking, account management, payments)
  • Transaction confirmation -- addressing “man in the middle” attacks and establishing a secure record (e.g. PSD2 Dynamic Linking)
  • Contact center, an online chat or a voice assistant interaction.
    Solutions Omni channel authentication

Organizations can quickly and easily provide their users with a consist, high-quality authentication experience across all channels with the use of a single, organization-branded authentication app that is used in an out-of-band mode to authenticate users to any channel, as described above.

However, in many instances, an organization may want to imbed MFA into a mobile device app, ATM, Interactive Voice Response Unit (IVR), kiosk or other appliance and operate in-band. IdentityX is well suited to such omni-channel solutions. What’s more, we support the notion of “enroll once – use many”. That is, once a user registers their device and enrolls their biometrics this information can be used to authenticate them in any channel. There is no need to separately enroll in each channel.

A simple example of this is as follows: An organization enables voice biometric authentication for both mobile login as well as call center authentication. Users enroll (once) with the organization and their voice samples are securely stored in a central server. When a user wants to access their account via their mobile app, they speak the passphrase which is compared to the registration samples and access is permitted. Now, when the user calls the contact center via any telephonic device (mobile, landline) they will speak the passphrase to an IVR which will then verify this against the registration samples and customer access is approved. Similarly, the user could speak the passphrase into an ATM, kiosk, or virtually any device with a microphone and be authenticated against the same, central repository of voice samples.

Traditionally customers using web applications in browsers have faced a host of security challenges not faced in the mobile channel. IdentityX offers a platform for out-of-band authentication, which is appropriate for when the most security is required – while we have worked to ensure that the process is as easy as possible, this is still an interruption in the flow of the web app for the customer. There are now a growing range of alternatives to provide stronger authentication for web apps but with less inconvenience for the user.

IdentityX supports the W3C Web Authentication (WebAuthn) standard, which is part of FIDO 2.0. This standard can be used in apps running in the Chrome, Edge and Firefox browsers. It provides for the ability to register and then authenticate the user’s device in browser applications, providing a stronger authentication within the app.

Initially, users will be able to use FIDO U2F tokens, which are simple authentication devices available from multiple vendors. Once activated they will perform a cryptographic operation to sign data that has been presented to them. The tokens are registered to a user using a secure registration process.

Other authentication options will become available over time using the FIDO 2.0 standard as further browser support is added. We expect this to enable options that use a device’s key store (e.g., on mobile devices), which will remove the need for a U2F token. It will also be possible for apps running on a PC or Mac to utilize a mobile device as the token using Bluetooth or NFC.

These options provide further flexibility across the different ways that customers use to access digital services, and all will be supported by IdentityX.

IdentityX provides key functionality that help internet-only and other organizations comply with KYC/AML rules during account opening, customer onboarding or other similar scenarios.

Face biometric authentication is particularly useful when verifying the identity of a customer with a photo ID document.

Furthermore, when IdentityX is involved in the onboarding and credential issuance, then there is a strong binding of the identity of the person that was proofed and the person that was issued the credential. That is, it solves the problem of how I know that the person that is about to enroll in IdentityX is the same person that I proofed as part of the onboarding process.

IdentityX supports face authentication in this scenario, including a range of liveness detection methods. See Digital Onboarding for more.

In order to support authentication of callers to the organization’s contact center, IdentityX can be used in an in-band or out-of-band configuration. In an out-of-band scenario, virtually any supported biometric-modality could be used for authentication. However, for in-band, allowing authentication over landlines or “plain old phone lines” (POTS) voice authentication is the natural choice. IdentityX can compare a customer’s voice sample captured in an organization’s Interactive Voice Response (IVR) system to a sample recorded during enrollment in IdentityX. If the organization also has an IdentityX enabled mobile app, the voice samples collected when the user enrolled in the app can be used for comparison for call center authentication – there is no need to enroll separately in the organization’s app and call center.

The use of biometric authentication allows organizations to avoid the need for knowledge-based authentication, which can be inconvenient for customers and costly for organizations.

Another option for providing convenient access to the contact center is the use of an in-app-initiated voice call to the contact center. When a user is having difficulty or has a question about the app they click on a “help” icon. If the user had previously used strong authentication to access the app, the mobile app could connect users to the contact center using VOIP to allow customers to be assisted without further authentication. Furthermore, the app could send information about what the user was trying to do when they clicked Help and thus give the Call Center agent context for the purpose of the call.

Daon IdentityX has proven effective in reducing fraud in a number of novel use cases for biometric authentication. These include:

  • Proof-of-Life: Daon’s technology can be used in benefits administration programs to combat fraud by having benefit recipients periodically biometrically authenticate, proving they are still alive.
  • Time-and-Attendance: Biometric authentication, coupled with geolocation capabilities of IdentityX are used to verify that a specific person was in a certain location at a particular time. This could apply to home care providers, transfer services, home appraisers.
  • Tax Compliance: Related to Time-and-Attendance above, one organization uses IdentityX to track movement of their consultants across the EU to ensure taxable income is reported in the jurisdiction where it is earned.
  • Card-Not-Present: In payment networks, online card-not-present (CNP) transactions represent the highest risk of fraud. By biometrically authenticating the user, a significant reduction in fraud can be realized.
  • Digital Subscriptions: Significant fraud exists in the provision of digital services. An office or other group purchases one subscription; but, shares the credentials across the members, defrauding the service provider. This practice can be significantly curtailed by biometrically authenticating digital subscribers.

Discover more about Daon IdentityX use cases authentication

Whether you're seeking a better way to onboard users, need to deliver better compliance with security regulations, or want to encourage more app use or self-service transactions, Daon IdentityX can help. To find out about more use cases, or to discuss your individual requirements, get in touch with us.