The risk of identity theft – and related fraud – is a significant concern for consumers who have been embracing online services to overcome lockdown restrictions during 2020.
Even prior to this, there has been a reported 33% increase in identity fraud last year from 2018 figures.
While the pandemic has been a boon to adoption of biometrics – particularly face biometrics in this contactless era – for digital identification, authentication, and authorisation services this has also amplified the necessity of two-factor authentication (2FA) for users to better protect themselves.
Biometrics can either be biological measurements or physical characteristics that can be used to identify an individual. Some of the more popular modalities that are becoming mainstream today include fingerprint scans and facial recognition. The use cases for such solutions are vast, from identification and verification services to security and restricted access control – including at airports, stadiums, businesses, and various other settings.
Additionally, many of the latest smartphones even feature biometrics as security options, used to unlock the device, sign into mobile apps and in payment verification.
According to Vic Esterhuizen, executive: biometrics at Xpert Decision systems (XDS), biometrics can fulfil a critical fraud prevention function in the identification, authentication, and authorisation sequence of events including digital on-boarding services, and identification/account verification at the point of sale.
“Much about how we live, work and play changed due to the impacts of the Covid-19 pandemic, where lockdown restrictions coupled with social distancing protocols have pressed upon people to avoid use of shared surfaces and close, in-person interactions as much as possible. This is accelerating adoption trends in contactless identification including face biometrics systems – particularly as a complement to and in support of digital transactions,” says Esterhuizen.
Market research indicates that the global face biometrics market size was valued at $3,4-billion in 2019 and is projected to grow at a CAGR of 14,5% from 2020 to 2027.
Esterhuizen suggests that in a digitally driven world, the traditional username and password method can be enhanced with additional security factors.
“Biometrics presents a massive opportunity to promote market inclusion through digital and remote access to products and services. And, by using something unique to an individual to confirm the person’s identity before any financial and other transactions can be done, this can support in significantly reducing the potential for identity theft and associated risks of third-party fraud.
“It should be noted, however, that not all technology is the same and products and service providers who are looking to capitalise on the digital and remote opportunities must undertake market research and consult with experts on solutions that offer built in risk mitigation and high anti-spoof rates in identity verification,” says Esterhuizen.
To realise the effectiveness of biometrics, Kaspersky believes that consumers first need to understand the difference between identification, authentication, and authorisation.
“While it might not seem important at first to understand the role biometrics can play in these processes, given how everything from shopping to banking to entertainment and more of our daily activities are increasingly connected to the Internet and performed online, consumers need to better understand that collectively these online accounts form an imprint of their digital lives – and that their biometrics can be used to unlock this imprint if not used appropriately and safely,” says Lehan van den Heever, enterprise cyber security advisor at Kaspersky in Africa.
For instance, a banking app will request the user’s login details before the user may perform any transactions. The username will be the identification step, i.e. confirming identity of the user. The password or PIN will then be used to authenticate the login. The final step is that of authorisation. Once the identification and authentication have been done and confirmed, the app will give the user the right, i.e. authorise the user, to view their account balances, pay beneficiaries, etc.
“There are current services and use cases where biometrics have been integrated into these processes, for example, a fingerprint or face scan may be used to supplement, or in addition to, any of these three steps. To do this, the provider is taking biometric data and storing it in the cloud, which is correlated with the user’s account and payment data – i.e. personal and potentially financial data. And while such data may well be encrypted, the potential risk is that should the data ever be stolen – and decrypted – from the cloud, the user’s identity could be spoofed, leading to financial loses and potential third-party fraud,” Van den Heever says.
This stresses the necessity of two-factor authentication (2FA). As is the case with the aforementioned example, many local banks continue to use two-factor authentication, which requires entering a password/PIN as well confirming a one-time password (OTP) at the point of transaction, which is sent to a secondary device, for example.
“With the pandemic expected to be a part of our lives for some time to come, biometrics has an important role to play in the new normal. And the key to integrating biometrics safely, particularly where a user’s financial data is concerned, lies in how the data is being encrypted and stored. For example, where biometrics is used to identify the user and a PIN is used to verify that identity, anyone stealing the biometric data wouldn’t have a complete set of information or enough to steal people’s money, or spoof their identity. It is much safer to keep the two things separate and integrate 2FA as a critical step to securing accounts and the data they hold,” concludes van den Heever.