How can enterprises and governments implement a superior authentication solution?
Providing a passwordless authentication solution is not enough.
Even providing a multi-factor authentication solution is not enough.
This post describes why Incode’s approach to authentication provides superior security, accuracy, and speed.
What is authentication?
Before delving into authentication, let’s define the two crucial parts of an identity proofing solution, identity verification and authentication.
- Identity verification establishes an account and confirms that a person is the genuine owner of the real-world identity they are claiming.
- Authentication confirms that the correct person is accessing the previously established account.
For example, a gaming site verifies the identity (and age) of a person, then authenticates that the person accessing the gaming site is that particular person (and not a minor).
Ideally the gaming site should use the same vendor for its identity verification and authentication solutions. If the gaming site uses two separate vendors, any authentication failure (such as letting an underage person access a verified gaming account) could lead to finger-pointing between the identity verification and authentication vendors.
Three key requirements for authentication
An authentication solution needs to meet the following three key requirements.
- Security. A leaky authentication solution damages the enterprise and its users. An authentication solution must protect enterprise and user privacy and security. The best authentication solutions minimize data movement, encrypt data in transit and at rest, comply with industry security standards, and comply with local privacy laws and regulations.
- Accuracy. An authentication solution that allows the wrong person to access a verified account is useless, as is an authentication solution that prevents a legitimate user from accessing their verified account. The best authentication solutions are independently tested by an organization such as the U.S. National Institute of Standards and Technology (NIST), rather than relying on a vendor’s untested promises of accuracy.
- Speed. If it takes a user too long to authenticate to your enterprise’s account, the user will find another enterprise that provides quicker access. The best authentication solutions provide rapid access, without friction or frustration.
Password-based solutions fail at authentication
For decades, the most popular authentication method has been “something you know.” While passwords are the most common implementation of this method, there are others.
- A personal identification number (PIN)
- The city of your birth
- Your mother’s maiden name
- The name of your favorite pet
As many of you are aware, the problem with “something you know” authentication is that everyone else knows it, leaving your account open to anyone else.
- If your user adopts the same password for multiple sites, vulnerability of one site’s password leaves all other sites open to compromise.
- If your user’s password is stored without adequate security, it can be leaked to everyone. This happens all too regularly.
- The answers to so-called “security” questions, such as your birth city or the name of your favorite pet, can be discovered via simple web searches. Your users’ accounts can be compromised through a single social media post.
Most multi-factor authentication solutions fail at authentication
Enter multi-factor authentication, the technique that was supposed to render passwords dead. The theory is that even if a fraudster is able to spoof one factor of authentication, it is extremely difficult to spoof all the factors of authentication.
This is the conventional wisdom. Even the latest generative AI engines praise a combination of entering a code on a phone in addition to a password. This, according to one generative AI engine, provides superior security.
Nevertheless, conventional wisdom and generative AI can both be wrong.
- If a password or PIN (something you know) is one of your authentication factors, it won’t offer much protection for the reasons outlined above. Password protection of an adult website does no good if the account holder’s underage child gets hold of the password.
- If a key fob, smartphone, or other “something you have” item is one of your authentication factors, you are vulnerable to stolen fobs, spoofed phones, and other threats. Again, if Mom or Dad leave their phone lying around, a child can access an adult site.
Even biometric factors (something you are) can be vulnerable to spoofs or may provide inaccurate results.
- For example, most biometric authentication methods do not provide “liveness detection,” or assurance that the biometric sample in front of the smartphone camera is a real live person and not a spoof.
- Similarly, most biometric authentication methods are either not independently tested or perform poorly in testing. Compare Incode’s very low False Non-Match Rate (FNMR) of 0.0032 (VISABORDER) against another vendor’s very high FNMR of 1.000. (NIST FRVT 1:1 results as of April 2023.)
Before you adopt a multi-factor authentication method, check the factors that are being authenticated. They may provide little or no protection. And the more factors you introduce, the slower your authentication will be.
Incode’s revolutionary approach to authentication
While Incode can implement multi-factor authentication, most of our customers demand face authentication. Despite the old-fashioned wisdom that multi-factor authentication is always better, Incode’s authentication is stronger than many multi-factor solutions.
Let’s look at the three key requirements for authentication and see how Incode stacks up.
Incode authentication provides very high security by using a less vulnerable authentication method, use of biometric templates rather than the original biometric information, performing critical processing at the edge device to minimize data movement, encrypting data in transit and at rest, and complying with industry standards and local privacy laws.
Incode authentication is extremely accurate because of our own Incode-developed algorithms for facial recognition and liveness detection. The face recognition algorithm is regularly tested by NIST for all to view; Incode’s most recent 1:1 results (incode-011) are among the most accurate and bias-free. Incode’s iBeta confirmed Level 2 liveness detection (confirmation letter here) ensures that a real live face is authenticating.
Finally, Incode authentication is lightning fast. A simple glance of the face to a smartphone camera authenticates in less than a second. This speed is due in part to Incode’s adoption of passive liveness detection, which does not require extensive face movements like active liveness detection.
Don’t accept the conventional wisdom
Are you going to follow conventional wisdom and adopt an easily stolen and fraud-prone password-based or multi-factor authentication solution?
Or are you going to adopt the revolutionary authentication solution that provides the highest security, accuracy, and speed?
Talk to us and get tomorrow’s superior identity verification and authentication solution today.