Use biometric and MFA layers to block gaps in fraud protection created by digitization
Digitization continues to change the kinds of fraud opportunities available to cybercriminals, even as the most common targets struggle to stem their losses and protect their reputations.
At this point, Mitek VP of Product Management Chris Briggs tells Biometric Update in an interview that half of the market is still kicking tires; the other half is getting serious.
Serious often means beginning to use face biometrics, and for many Mitek clients, particularly in the European market, for binding an identity to an ID document.
Briggs is a long-time veteran of the struggle against fraud, and even before he joined Mitek was working on “block-listing and consortias, and how do those work, and how should they work versus how do they not work.”
These days his responsibilities include helping businesses understand how to implement and layer technologies to ensure that identity-binding processes do what they purport to. This is happening with U.S. clients as well, “but even more around some more interesting marketplace examples; so I want to onboard somebody and then I want to prove an instance of that person at a specific point in a journey,” such as when they show up to take an important test or exam.
Layering multiple factors
Using digital identity to defeat fraud begins when an asset is created, which the business needs to persist across various points in the customer journey.
That is the basic first pass, Briggs explains, beyond which the business needs to decide if it is looking for identity, fraud prevention or both?
“Typically, it’s a combination of the two, sometimes more heavily weighted on one side or the other depending on what type of transactions your running,” he says.
The specific aims of the system determine what kinds of checks need to be carried out,
“What you’ll see is quite often there’s some type of geo-profiling that will be done either by simply checking the IP address of the phone, or more complex device reputation and behavioral biometrics from the device itself,” Briggs says.
One of the main places where a gap arises, he says, is in the mix between digital and physical, because “digital processes typically have a physical fall-out where you can break the rules.” Multi-factor checks are the key to closing these gaps.
The different factors used, however, must go beyond checks that appear to confirm multiple data points, but are really only based on one source.
“The fact of the matter is that in that situation the bank assumes that someone at the telco has actually validated that I am the person who owns that phone and that sim card,” Briggs clarifies. “So, they’re really only running one check.”
“You need to be triangulating across more than one source at that point in time,” he adds. “And most of the big banks and financial service organizations get that. But where they struggle is they will come back and say ‘this whole idea of going digital and fraud checking on digital increases friction for the consumer’.”
It is possible to perform these checks with little or no friction, however. With permission, the relying party can see that the user’s phone is next to a computer that the same person is logged in on, for instance.
“That’s where we believe that if you start to talk about multi-factor biometrics and multi-modal biometrics, you can actually execute a very simple transaction with very little effort on the part of the consumer, which is where we believe that there will be continuous uptake from this in the industry,” Briggs says. “Both from our clients in Europe who are using it for biometric binding to an account, and in the U.S. where they’re looking at it for some of these other types of transactions.”
The identity of a customer established during onboarding has a half-life, Briggs says, raising the need to use biometrics and other data throughout the customer journey.
Over time, Briggs sees financial institutions and others moving towards more unified identity systems, with more layers introduced to take advantage of all possible verification methods without adding unnecessary friction.
What’s the hold-up?
What businesses should be doing, while made up of a range of methods and implementations depending on the vertical, business model and so on, is fairly clear. At this point, however, Briggs says only “a few working in this direction.”
One of the main reasons is that legacy IT backbones make integrations of new technology difficult.
“That’s why you’ve seen sort of a migration to OTP; because it’s easy,” Briggs explains.
Integrating face and voice biometrics was much more difficult, costly, and burdensome in the past, according to Briggs.
Easing integration is part of Mitek’s motivation in moving towards something like “multi-modal biometrics as a service” with its end-to-end platform.
Despite the fraud expertise that is found in some financial institutions, securing remote transactions is a different matter. Then there are many other clients that simply want a yes or no answer.
“The effort that it takes is complex, and if we can solutions that into something that is a number or an answer and make it easy to consume, then it can be relatively straightforward to convert it into whatever system our clients are using,” Briggs says. “That allows them to be able to say ‘[the user] is who he says he is, and Mitek has helped us solve that problem.”
Briggs has also observed an increase in concern about bias from financial institutions and other organizations. Again, they are more focused on ensuring that something is being done than understanding exactly how mitigation measures work.
“There are 3 or 4 different ways that we do that,” Briggs says of Mitek’s approach. “We have created stronger data overlays in specific areas that are under-represented in the market when we train our models.”
Similarly, privacy concerns are largely focused on explainability to the consumer.
“I would see the trend as moving more towards consciousness on the part of the consumer that has to be actively managed by our customers,” Briggs explains. “And that’s something we advocate.”
In the future, approaches like self-sovereign identity may catch on, but Briggs says customers are waiting for that ecosystem to become more mature.
In the meantime, digital identity needs to continue moving beyond the siloes it has traditionally been held in. Some financial institutions are looking for ways to create common identity-as-a-service platforms. Some organizations are starting to share identity data with others, Briggs says, pointing to SecureKey within the Canadian market.
If properly educated, consumers will accept these kinds of new approaches, just as they are increasingly aware of the importance of MFA.
“Whether you’re on the IAM side or the CIAM side or the identity side,” Briggs concludes, “everybody needs to just admit the fact that multi-factor is a given.”