Going passwordless: Stage 2 – Step up your security game

tl;dr: step 1 of going passwordless was authenticating a user's behaviour | stepping-up authentication smoothly is stage 2 of the passwordless dream | use a selfie or lipsync challenge for user auth with liveliness detection is quick and painless | we're almost at the finishing line and your customers are still delighted
Going Passwordless: Stage 2 – Step up your security game

Earlier, I set the stage for Going Passwordless and then looked at behavioural biometrics as the first rung of the security ladder; conclusions drawn from my continued engagement with digital and challenger banks. With just three steps standing between an organisation being basic and being a legend, we now move to Stage Two, stepping up (literally) to the challenge.

Recap: We have our risk-based score of behavioural authentication.

Alrighty then, in case you’ve somehow failed to commit the finer details of my Stage 1 blog to memory, we’ve decided to remove the password from the banking application – the unlocked phone scenario- remember?  In order to do this securely, to assist in fraud prevention and with the UX & regulator in mind, the first port of call is to implement behavioural biometrics to run passively and continuously in the background of the application. The behavioural module returns a risk-based score, a confidence indicator of whether or not this user is genuinely the account holder. What happens though, when this score drops below a threshold and we need to clarify exactly who it is on the end of the device before they attempt a transaction? This is where ‘step-up authentication’ is required, or Stage 2,  if you’re keeping track.

We now need to know whether to Stop or Continue the session…

To set the scene, the behavioural module’s confidence score is low, i.e. we think it’s an intruder using the application and not the genuine account holder. Essentially, we need to clarify if it’s anyone but the genuine account holder. At this point, we can enforce a step-up authentication for the user to complete, the result of which will allow either a genuine account holder to continue transacting or an intruder to be forced out of the session.

…but this process needs to be smooth.

What’s imperative here is that this step-up authentication mechanism still focuses on our earlier critical  priorities; security, UX and the regulator. It’s clear then that this stage is as important as Stage 1, that one without the other is nonsensical, and that one builds on the other. A step-up authentication mechanism needs to satisfy each priority or we can’t Go Passwordless, the dream is over. If its security element is weak, there’s a problem for both the client and the regulator.  Similarly, if the UX is anything but frictionless we may as well have gone for a cup of tea and not set out on this project.

“What step-up authentication mechanism is able to do all these things? Will – does such a thing even exist?”

I hear you ask. Well, despite the challenging operational requirements, never fear, yes, such a thing does exist.

A clear user-first option, with solid protection.

In fact, there are a few options at this stage. For instance, it could be a hard token code generator or even an SMS one-time password. You may well say that these options were more acceptable for UX and security about 10 years ago.  And whether it’s a man in the middle attack or carrying around a calculator-esque code generator, neither really float my boat if I’m honest.

One option that does float my boat however – and that does not require me to carry around extra hardware or leave the application to fetch a code – is facial authentication. A quick prompt to facially authenticate within the application during the transaction is a seamless and secure way of enforcing a step-up authentication. What’s imperative for facial authentication is “liveliness detection”, essentially making sure that the user doesn’t only match the stored template, but is ‘alive’. This is typically done by enforcing an action such as a blink or smile. Ensuring that this mechanism  is not only a desirable UX but also cannot be spoofed falls to me and my trusty colleagues at AimBrain.

AimBrain recently released AimFace/LipSync, the marrying together of facial authentication and a randomised voice challenge. This continually changing 3 digit spoken challenge means a response cannot be synthesised in real time, making it AimBrain’s most anti-spoofable module to date. All the while, keeping intact a desirable UX by implementing a quick and painless authentication step.

Up for more? Join me for the final phase.

Well there we have it, Going Passwordless – Stage 2, a facial authentication mechanism to satisfy a step-up authentication request when the confidence level of behavioural biometrics has dropped below a certain threshold. We’re in pretty good shape then as we approach the final phase to ensure Going Passwordless can become a reality.

Stay tuned to read the final simple step, or drop me a line to discuss the world of digital, challenger and neo banks.

Share on linkedin
Share on twitter
Share on facebook
AimBrain - Simply Smarter Authentication