How selfies can make us all safer
On the internet, nobody knows you’re a dog. And that’s exactly how criminals like it. The level of anonymity that the internet affords people is presenting an ever-greater challenge to regulators, businesses and even consumers, who are increasingly becoming the target for trolling, cybercrime and identity theft.
Evidently, the answer has to be more transparency, with a greater focus on identity verification. Businesses and consumers alike need to be confident that the people they are communicating and transacting with online are exactly who they say they are. This is true across the board – from social media networks and online marketplaces, through to online banking apps and gaming platforms.
Identity verification strategies and technologies are evolving at pace, in line with changing consumer behaviour. In a dynamic online environment, identity verification needs to work quickly and seamlessly across multiple channels, and fit in with a world-class digital experience.
This is why biometric authentication — uniquely identifying a person by evaluating one or more distinguishing biological traits — is becoming such a critical element of identity verification, driven by staggering adoption rates of smartphones that support and enable biometric technology. Data from Statista suggests that there are 3.2 billion smartphone users worldwide, which puts global smartphone penetration at around 41.5%.
Businesses need to be able to verify the identity of new customers during the online account creation process, but they need to provide an experience which is quick and intuitive. Consumers are increasingly intolerant of poor online account opening processes and firms risk losing customers and revenue if they don’t get it right. However, if brands can deliver smooth, seamless and secure account creation, then it sets them up for long and fruitful relationships with customers.
Little wonder then that the selfie is coming to the fore as a simple and quick way for consumers to be able to verify the authenticity of the identity documents they have submitted. Taking selfies has become second nature to us – in fact, it is predicted that the average millennial will take 25,000 selfies during their lifetime!
Point, click, verify
Just under a year ago, NatWest became the first major high street bank to enable customers to open an account with a selfie. The move eliminated the need to go into a branch, put identity documents in the post, or wait a day or two for the account-opening process to be completed. Instead, the customer uploads a selfie and photo ID such as a passport to verify who they are. Fast forward to today and it’s much more common. As an example, Monzo asks its customers to submit a short video of themselves saying “Hi, my name is [your name], and I want a Monzo account.”
And the RBC mobile app is the latest to announce plans to introduce selfie verification for customers opening new accounts. While this may seem a very simple verification mechanic, the crux of it is so much more than a click and smile.
Verification, then authentication
When considering biometric-based authentication methods for compliance or fraud prevention, it’s vital to understand the various trade-offs between security, risk, accuracy, usability and cost. Achieving the level of security required for a particular use case while delivering acceptable performance for the other parameters is now regularly attainable with the current state of technology. As with any risk-based approach, it’s about determining the level of risk and matching system requirements that are appropriate to that level.
It’s also important to note that authentication comes after enrollment and identity proofing; to authenticate someone, you must have previously verified the identity of that individual, to make sure that you are dealing with a real person. There are three factors that can determine authentication which are all relatively common; something the customer knows (knowledge, such as a PIN or password), something the customer has (possession, such as an identity document or a smartphone) and something the customer is (inherence, such as biometrics).
Deploying multi-factor authentication (MFA), where two of the three factors are authenticated, is sufficient to meet the highest NIST security requirements. This criteria concurs with the EU standards for Strong Customer Authentication (SCA). Of course, meeting these security standards presupposes that the factor has enough integrity and confidentiality to uniquely identify the user.
Selfies in the verification process
Fortunately, biometrics can also be used in the identity verification process. Businesses can authenticate the identity document submitted by the individual by comparing the photograph on the document with a separate photograph (selfie) of the person. The person matches the identity and therefore they must be the owner of this document. As the banks cited can testify to, online processes make in-person identity checks unnecessary.
Biometrics can be integrated into the identity workflow to make a robust, secure and compliant verification process. This is where and why that most modern of phenomena — the selfie — is coming into play. Using the smartphone camera to take a live picture of the user and comparing that selfie to the ID photograph can help weed out even the most sophisticated of fraudsters. For the user, the experience is straightforward.
Take a picture of their ID document, take a selfie and the process is done.
Practical level of security
While some business use cases do not require the most extreme level of security, they all must have effective security measures to ensure that the real user of the account is performing the requested actions. However, it becomes inoperable if businesses deploy systems that are onerous and time consuming for users or risk customer abandonment. There has to be balance between risk and usability, speed and security.
This is why modern smartphones are a game changer, as they have put powerful biometric technologies into the hands of billions of people. By combining possession of a smartphone (something the customer has) with a biometric (something the customer is), authentication has become scalable for general audience use cases.
If a transaction needs authentication (such as with SCA), a bank can send a notification to a secure app on a customer’s smartphone. If the notification is confirmed, that’s strong confirmation that the customer has both the device and secure access to the app. While password access to the app would also pass the MFA requirement, logging in with a thumbprint or face scan is much quicker and easier for the customer. Seamless security is the goal, and biometric authentication delivers. However, it’s crucial to ensure that the original identity is properly verified, matched against a wide range of robust identity data sources. After all, if a money launderer, fraudster or other bad actor already has an account, authentication provides no deterrent.
And this is why selfies are becoming so much more common for identity authentication. They offer another layer of security and assurance that is unique to each individual and when combined with other forms of ID is immensely secure. If we think the power of the selfie has been demonstrated on platforms like Instagram, it’s nothing to how influential it is going to be in the field of ID verification…. But without the filters.