‘One-time biometric’ needed to fight off injection attacks, iProov exec argues
The sophistication of injection attacks has made video ID verification less reliable, but the standard for assurance levels in digital identity proofing do not have room to reflect this difference, an iProov executive argued in a recent online presentation.
Chief Product and Innovation Officer Joe Palmer was speaking during a KuppingerCole webinar titled “Identity Assurance Using Biometrics.”
Principal Analyst Martin Kuppinger discussed the importance of identity verification for organizations today, primarily for cybersecurity. Whatever identity verification and authentication processes are used, they needs to be accurate, and it needs to be fast, or it will cause drop-offs in onboarding or customer churn, he says.
With every industry now being targeted by fraud attacks, the need for robust identity verification and authentication is now nearly universal amongst public and private-sector organizations online, not just confined to financial services and payments.
Kuppinger emphasized the need to combine, rather than balance, security and convenience.
He also referred to survey results from a previous webinar that indicated the majority of organizations expect decentralized identities or self-sovereign identities to impact reusable consumer identities.
Palmer reviewed the “spectrum of identity assurance,” starting with the motivations of organizations implementing identity verification and authentication and the associated challenges. The variable factors organizations should consider when determining the level of identity assurance they need, he says, are the threat landscape, the riskiness of the transaction, and its value.
The use of face biometrics, which are relatively easy to validate, with technology that introduces randomness, prevents the biometric from being spoofed, while retaining a passive user experience, Palmer says, in apparent reference to iProov’s Flashmark liveness detection technology. He characterizes this as a “one-time biometric.”
This makes it both the most secure and the most convenient, according to Palmer, and avoids the sacrifice of one to improve the other referred to earlier by Kuppinger.
Palmer summarizes iProov’s approach as determining it has the right person by matching against the 2D reference image, determining the person is real using 3D technology for presentation attack detection, and determining that the correct user is present at the time of the authentication process, rather than being presented in a spoof or injection attack, with the one-time technology. He later reiterated that injection attacks are now more common than biometric presentation attacks.
He then gave several examples of the risk of level of different use cases, identifying those that should make use of high-security ID verification or authentication, and those that might be fine to conduct with a company’s SSO, like booking a meeting room. The overall threat landscape changes over time, however, with for instance activities that may have been low-risk a few years ago taking on more risk as attack technologies and other circumstances evolve.
When asked where one-time biometrics fit into the NIST 800-63-3 standard for digital identity’s assurance levels, Palmer responded that the specification does not provide adequate granularity to fit the technology neatly. Since level 1 is self-attestation, and level 3 requires in-person proofing, effectively all online security measure fall into level 2, he points out. NIST is working on revising the levels of assurance in a future version of the standard.
In the meantime, Palmer argues one-time biometrics provide a higher level of assurance than even video call verification, due to the sophistication of AI-powered injection attacks.