25 July 2022
You’ve found an item you want to buy online. At the checkout, you choose to use a payment service, such as PayPal. You enter your password – it takes a few tries, but you get there in the end. You’re then asked to type in the SMS one-time passcode sent to your smartphone. Your device is charging in another room so you go and get it and retrieve the code. The code is accepted and you complete the purchase.
This is an example of multi-factor authentication (MFA). Multi-factor authentication refers to a security process that uses multiple methods of authentication – in this case, a password and a one-time passcode sent to a smartphone – to verify a user’s identity. Multi-factor authentication regulations are a welcome defense against the growing threat of online fraud.
But as we saw in the example above, multi-factor authentication can cause friction. If you don’t have your smartphone handy, or you don’t have cellular access, MFA that uses OTPs can become an inconvenient roadblock for users and a conversion killer for organizations. Additionally, many MFA solutions lack inclusivity; switching between different devices and applications can be difficult for people with certain disabilities, or for those with inconsistent cell phone service.
The truth is that multi-factor authentication is only as secure, convenient, and inclusive as the technologies used to facilitate it. In this article, we’ll explain why biometric authentication is the more secure, convenient, and inclusive authentication factor – and why every MFA solution should take advantage of it.
Multi-factor authentication is an authentication process that requires the user to provide two or more verification factors to gain access to a (secured) service or to complete a transaction. This could include accessing an online account or computer application, or authorizing a payment.
Multi-factor authentication aims to verify that you are who you say you are. MFA guidelines require a combination of two or more separate authentication factors. The authentication categories are:
Any combination of the above is acceptable, but not two from the same category.
More and more people are signing up for digital services online – for example, 27% of British adults have opened an account with an online-only bank (that’s 14 million people) – and they all expect a seamless user journey. But at the same time, fraud is on the rise and organizations must be vigilant.
Digital fraud is a very real threat and is growing more sophisticated by the day. For example, account takeover fraud (ATO) is a widespread problem. ATO fraudsters gain unauthorized access to a genuine user’s account, usually for financial gain — often making use of techniques such as credential stuffing to scale these attacks. You can read more on account takeover fraud here.
Additionally, a majority of today’s interactions happen remotely, operating from different locations, through unsecured networks, over untrusted hardware. So how do you ensure that the physical person is bound to their digital selves in a trusted, secure way?
Multi-factor authentication seeks to establish trust online under these hostile conditions and limit fraud through stronger authentication. The key is to establish trust and security without ever inconveniencing the user. Unfortunately, organizations don’t always get it right.
The biggest risk with MFA is that it will cause a negative impact on the user experience. Every step in an online user journey is a potential opportunity for friction and drop-off. Each added step is also a potential issue for inclusion, as it increases the cognitive demands on the user.
This is a significant problem for organizations. Shoppers are inclined to abandon transactions if it takes too long to check out (as we’ll all likely know from first-hand experience!). And that’s assuming that the MFA process doesn’t abandon the transaction for them – Barclaycard research found that in February 2022 alone, more than 1.2m online transactions worth more than £100m were declined during the authentication process. Retailers lost sales as a result. About 14% of shoppers noticed an increase in their online payments being declined and 37% headed to another retailer to complete their purchase.
But higher security does not have to mean low usability (and vice versa). The best way to deliver enhanced security with high usability is passive biometric face verification – which is an iProov-specific biometric advantage.
We’ve written extensively about the risks and drawbacks of other authentication methods. You can read more on this below:
Of the three types of authentication mentioned above – knowledge (e.g. passwords), possession (e.g. a mobile device) and inherence (e.g. face biometric authentication) – biometrics is the most secure and the most usable.
Biometrics is secure because it’s the only authentication factor that enables organizations to be certain that a physical person at the end of an internet connection is really who they claim to be. A password or a device can be shared or stolen, which means anyone could be using them. But nobody can take your physical face. Biometric face authentication ensures you’re dealing with the right person.
Biometrics is more usable because you always have your face with you. You can’t forget it (as with a password) or leave it at home or in another room (as with a device). And if you implement passive biometrics, then you can make the process as effortless as possible for your users.
Liveness detection is part of biometric verification. It ensures that an online user is a real person, detecting if the face being presented to the camera is a live human being. Without liveness technology, criminals could spoof the authentication process with masks, photographs, and other presentation attacks. With liveness detection, no one can use a copy (i.e. a picture) of your face to access your account, because that picture would not pass a liveness assessment.
As we’ve established, choosing the biometric factor – ‘something you are’ – has many advantages for multi-factor authentication. But not all liveness is the same, and there are various solutions that deliver varying levels of assurance. That’s why you must ensure you’re choosing the right biometric vendor.
The best MFA solutions are those where the user is not expected to do anything. These are known as passive authentication. With iProov, the user knows that a secure process is taking place and they feel reassured by it, but the experience is effortless.
iProov’s biometric face verification is patented, proven at scale, and truly unique. iProov technology is essential to a successful MFA strategy because it proves that someone is the correct and genuine live human without the user having to do anything – the technology takes care of the authentication process.
Unlike with the MFA example in our intro, there’s no switching between devices or applications. It’s as simple as staring into the device’s user-facing camera. Ultimately, no action from the user is required.
iProov offers two options for MFA. Our Liveness Assurance™ technology asks a user to complete a brief face scan to confirm they are the right person and a real person. Our Genuine Presence Assurance® technology also uses a brief face scan and delivers additional security by verifying that a user is the right and real person, but that they are also authenticating right now.
Both iProov technologies have been built to strike the balance between security and usability, enabling safety and trust without negatively impacting the customer experience.
A number of factors combine to make iProov biometric authentication the perfect MFA solution: