by Dean Nicolls, VP of Marketing, Jumio
In the world of digital identity verification, there are two distinct realms: the realm of identity proofing and the realm of authentication. These realms have been separate and distinct for decades.
Companies use a variety of identity proofing techniques to remotely establish the identities of users (instead of requiring them to visit a branch office). Asmorepeopleusetheinternet and apps on their computers, tablets, and smartphones to create accounts online and access those services, modern enterprises are exploring online ways to “identity proof” new customers without requiring an in-person visit.
Identity Proofing Methods
Historically, the function of “identity proofing” was based on the premise that if a person was able to provide a name, address, date of birth and a government identifier (e.g., Social Security number), he or she must be that person. This was never very sound, but it was deemed “good enough.”
When this approach proved insufficient, knowledge-based verification was introduced. This prompted a user to answer questions based on more extensive public records or credit history. This also proved problematic as legitimate customers frequently failed these questions, and it introduced a high rate of friction and abandonment.
More recently, enterprises are starting to require that new online customers capture a picture of their government-issued ID (drivers license, passport or ID card) and a selfie with their smartphone or webcam, and then compare the face in the selfie to the picture on the ID.
After the user is approved and given their account credentials, they need to authenticate themselves every time they log into their online accounts. In most cases, all that’s needed is a simple username and password. But, in some situations, businesses need higher levels of assurance to ensure that the person making the request is who they claim to be. These include:
- Logging in from a foreign IP address
- Password resets (in light of account takeovers)
- Large money or wire transfers
- Multiple unsuccessful logins
- Requested change on authorized permissions
- High-risk transactions (car rentals, hotel room keys) For these types of transactions, companies use a variety of authentication technologies including:
- Knowledge-based authentication
- Multi-factor authentication
- Out of band authentication (e.g., SMS- based codes sent to the user’s smartphone)
- Hardware and software tokens
A New Paradigm for Identity Proofing and Authentication, Unfortunately, there’s very little overlap between the technologies used for identity proofing and the technologies used for authentication. Making matters worse, many of these traditional forms of identity proofing and authentication have proven to be hackable, insecure and unreliable thanks to large- scale data breaches, the dark web and man-in-the-middle exploits. This is both unfortunate and inefficient.
A Better Way: Jumio Authentication
“By 2023, identity corroboration hubs will displace existing authentication platforms in over 50% of large and global enterprises.” – Gartner
There is a better way that leverages the same set of technologies for both identity proofing and authentication that’s fast, reliable and easy to use. It leverages face-based biometrics and liveness detection
— here’s how it works.
Step 1: Identity Proofing
A new user goes through a simple two-step process when creating an online account:
- Government-Issued ID: The user captures a photo of their government-issued ID via their smartphone or computer’s
- Selfie Capture and Liveness Detection: The user is asked to capture two selfies: one about 12 inches away and another closer up, around 6 inches from the The check for liveness detection is to ensure that the person behind the enrollment is physically present and to thwart fraudsters who are increasingly using spoofing attacks by using a photo, video or a different substitute for an authorized person’s face to acquire someone else’s privileges or access rights
In addition to checking the authenticity of the ID document, the 3D selfie is compared to a
government-issued ID to reliably establish the digital identity of the new user. This simple and increasingly familiar process provides businesses with a higher level of identity assurance.
Step 2: Authentication
The real breakthrough happens downstream when authentication is required. Because a 3D selfie was captured at initial enrollment, the user only needs to take a fresh selfie (one close up and one a little further away). This new 3D selfie is then compared to the original selfie captured during enrollment and a match/no match decision is made. But, this time, the authentication step takes just seconds to perform. The elegance of this solution is that the user does not need to be subjected to the entire identity proofing process again — they just need to take a new selfie.
Emerging Use Cases
By using your users’ selfies as their second authentication factor, organizations can now factor authentication, companies reissue lost or forgotten credentials by having their users take a selfie. about the need to identity proof Uber drivers upfront, but also to continually re-authenticate them on the job to ensure that envision entirely new use cases
- High-Risk Transactions: If
the person claiming to be the that go well beyond suspicious logins.
- Hotel Room Access: Insteadofwaitinginalongcheck- in line at a hotel, customers could open their doors with just a
- Car Rentals: Customers could bypass the long lines at airports and unlock the door of their rental car with just a
- Lost Passwords: Instead of reverting to vulnerable methods, such as KBA or two-
there’s a significant wire transfer from one account to another, financial institutions could simply require the user to take a selfie to authorize the transaction.
- Continuous Authentication: Think about continuous authentication in the e-learning space. Professors want to ensure that legitimate students are enrolled online and that they are the same people taking the exams online. Think
Uber driver is, in fact, the Uber driver that was approved to drive. As identity proofing and authentication processes converge, we think the role of face-based biometrics will enable broader adoption, provide higher levels of identity assurance, improve the customer experience and conversion rates, and better protect online accounts from identity theft and account takeover.
About the Author
Dean Nicolls is Jumio’s most recent addition to the executive team. He has 25+ years of experience in B2B marketing focusing on cloud services. These include roles at Starbucks, Microsoft, and variety of early-stage cloud-based security companies including LiveOffice (acquired by Symantec), TeleSign (acquired by BICS) and, most recently, Infrascale. At Jumio, Dean is responsible for all branding, PR/analyst relations, product messaging, demand generation, and sales/channel enablement. He holds a Bachelor of Science degree in Business Administration from Pepperdine University and an MBA from the University of Washington.