Prove introduces new authentication platform, demoting one time passwords

One time passwords have become unintentionally self-descriptive: at one time, they were useful. But no longer, says New York-based Prove, which, following a partnership with authID, has announced the launch of Unified Authentication – according to a release, “a modern authentication solution that passively and persistently recognizes customers, no matter where they appear or how often their devices or credentials change.”

The product uses a layered, orchestrated approach to authentication, unifying the strengths of device fingerprinting, behavioral biometrics, and passkeys through the Prove Key, “a next-generation cryptographic key that is persistently bound to a user’s identity and secured directly on the device.”

“Paired with real-time signal intelligence and advanced key management,” Prove says, “the Prove Key delivers continuous, cross-channel authentication that endures through every lifecycle event.”

Unified Authentication offers compliant, passive MFA with two strong factors and dynamic linking to support PSD2 and PSD3 compliance; passive key management for seamless reauthentication without re-enrollment, even when new keys are issued after device changes or number updates; coverage across apps, browsers, desktops, kiosks, call centers, and third-party platforms; and real-time risk defense against synthetic identities, stolen credentials, scams, mules and social engineering.

It is designed for the long term, to maintain identity persistence through device upgrades, SIM swaps, carrier ports, phone number changes and more.

Prove takes a proactive view of digital identity, viewing it as a core enabler of digital commerce. It takes issue with each element of its platform in isolation: “device fingerprints are probabilistic, biometrics can drift, and while passkeys sync for convenience, they no longer prove possession of a specific device on their own.”

The move, then, is towards a holistic system.

“At Prove, we’ve always believed identity is the gateway to a new generation of digital experiences,” says Rich Rezek, Head of Platform and Solution Strategy at Prove. “With Unified Authentication, we’re bringing that vision to life – synchronizing identity and authentication in a more sophisticated way than ever before to eliminate friction, build trust, and protect every step of the customer journey, from onboarding to recovery and beyond.

Unified Authentication is now available in over 190 countries.

Webinar with authID, Prove focuses on threat of fake faces

Prove isn’t satisfied simply releasing its product: it has produced a webinar series on why OTPs can’t handle today’s threats. Part one features insights from SVP of Product Growth Dan Kilmer (with a guest appearance from Jeff Scheidel, COO of authID) – specifically, on why Apple’s Face ID for authentication is no longer enough, but face biometrics still can be.

Kilmer says that “one-time passwords and PINs were always meant to be a band-aid. Um, hey, I guessed your password, but I can’t guess the one the help desk sent to your phone. Oh, wait.

I can intercept that now. Or through social engineering, I can actually get you to give it to me. And one-time password interception, like other fraud vectors, is actually available via fraud as a service.”

He notes that, “we keep putting in various defensive measures to prevent bad guys from stealing our identities and thereby stealing our digital assets. But every one of these measures itself ultimately becomes a conduit for bad actors. OTPs can be stolen and then used to compromise other measures like device bound biometrics or passkeys.”

“While Face ID has normalized the acceptance and the use of biometrics with consumers, it has several shortcomings that lead to continued use of compromised solutions like SMS and one-time passwords. Face ID only works on the enrolled device. It can’t be used to set up your new device and it must be re-enrolled on that new device. Additionally, a second face or an alternate appearance can be enabled or enrolled on Face ID, which could easily be used by a bad actor to enroll their own face if they encounter an unlocked, unattended phone.”

In short, many privacy concerns linger, fomenting distrust in biometric systems. But Kilmer contends that “a proper biometric platform coupled with device intelligence overcomes concerns over privacy, compliance, integration and security.” He says that, combined with tech from authID, Prove is more than just a security check.

“It’s actually a continuum of identity verification and authentication coupled together” – a reputation check attached to a name and phone number, which goes with the user as the seasons change, while the underlying identity stays constant. Ownership ensures the phone number belongs to the person using it. Presence detection ensures the user is there, holding the device.

All of this, says Kilmer, occurs without the storage of any biometrics. Tokenized identities mean no personally identifiable information is stored.

AuthID’s Jeff Scheidel discusses how the two companies work together. “Through the partnership of prove and authID, we’ve merged our technologies and we’re trying to provide the ultimate in secure, accurate privacy protecting user verification on day zero to get you on board.”

In the triangulation between Prove, authD and the user, Prove handles phone possession, reputation and ownership, phone number tenure, and device behavior; while authID handles biometric authentication, document verification, and deepfakes and injection attacks.

“We validate the legitimacy of a physical ID such as a license or passport,” Scheidel explains. “Any of the 15,000 docs we support from around the world. We validate the selfie, both of these for livveness. We prevent the use of fakes, screen replays, deepfakes, and any injections behind the camera. Once both the doc and the face are verified, we match up those portraits to make sure the doc’s good, you’re good, and you’re good together. Whether we take the passive or active approach, we leverage our triangulated signals to further legitimize the user or negate when it’s a fake. And when we do have a verified user, we create a biometric route of trust for ongoing authentication.”

The result of the triangulation, he says, is a new term for the lexicon: “deterministic identity verification.”

Article Topics

biometric authentication  |  biometrics  |  face biometrics  |  Prove  |  selfie biometrics  |  unified authentication