July 28, 2022

Earlier this month, the state of New Jersey introduced new two-factor authentication (2FA) and multi-factor authentication (MFA) regulations for gambling institutions. The legislation states that any “authorized internet or mobile game” must implement 2FA or MFA. 

The new legislation is designed to protect customers against online fraud. Strong authentication, like 2FA and MFA, defends against a number of fraud types – primarily account takeover fraud, whereby a legitimate user’s account is hijacked by fraudsters.

However, it’s crucial that implementing 2FA/MFA does not create a roadblock for online users. Gambling organizations do not want users abandoning their websites due to cumbersome authentication technology. Operators must choose a 2FA/MFA solution that prevents fraud without inconveniencing the user experience. 

In this article, we’ll explain why and how facial biometric technology needs to be part of any 2FA or MFA solution for gambling organizations. 

What is the New Jersey gambling authentication regulation? Why was it introduced?

The new regulation, titled N.J.A.C. 13:69O-1.1 — which you can read here – defines multi-factor authentication as a type of strong authentication that uses two of the following to verify a patron’s identity:

Information known only to the patron, such as a password, pattern, or answers to challenge questions;
  • An item possessed by a patron, such as an electronic token, physical token or an identification card; 
  • A patron’s biometric data, such as fingerprints, facial or voice authentication 
  • This is the same as the ‘something you know’, ‘something you have’, and ‘something you are’ approach to Strong Customer Authentication (SCA) required under European regulation PSD2, which iProov has covered extensively – you can read more on SCA here. 

    Why has New Jersey brought in this legislation? There are several reasons:

    • To stop theft. Customers have money stored in their online gambling accounts, which makes them a target for criminals. Strong authentication helps to prevent criminals from breaking into accounts.
    • To limit proxy or messenger betting. In New Jersey, the practice of placing a bet for someone else outside the legal jurisdiction is illegal. Strong authentication makes this more difficult.
    • To prevent multi-accounting. Online gamblers can commit fraud by claiming welcome bonuses several times. Again, strong authentication makes this harder.
    • To limit money-laundering and underage gambling. There are regulations in place to ensure that Know Your Customer (KYC) and Anti-Money Laundering (AML) processes are followed at account creation, but existing accounts could be misused unless ongoing strong authentication is in place. 

    The U.S. online gambling industry generated $3.71 billion in 2021, up 139% in 2020 and 614% from 2019 according to the American Gaming Association’s Commercial Gaming Revenue Tracker. New Jersey is a major gambling market and it’s likely that others will be looking to follow in the state’s footsteps. 

    What is the difference between 2FA and MFA?

    Two factor authentication will only make use of two authentication factors to verify a patron’s identity – for example a password with face authentication. Multi-factor authentication makes use of at least two, if not more, factors. 

    The New Jersey legislation does not make recommendations for one over the other – just that gambling institutions must use at least two authentication factors moving forward. 

    Why should gambling organizations use facial biometric technology for 2FA/MFA?

    There are several authentication methods that can be chosen as part of a 2FA/MFA strategy. Face biometric technology is ‘something you are’ and it offers many advantages over other options:

    • Passwords, secret questions and other knowledge-based authentication are not secure – passwords can be stolen, guessed, shared, borrowed, and forgotten. Your face cannot be stolen, guessed, shared, borrowed, or forgotten.
    • Devices and other possessions can be stolen, lost, or broken. Your face cannot be stolen, lost, or broken. 
    • Other biometric authentication options are available but faces are typically used on State or Federal-issued ID e.g a driver’s license or passport. Fingerprints and voice and other choices cannot typically be remotely verified against a form of ID.
    • While some authentication methods introduce a degree of friction, such as OTPs read more on OTP risks here face biometrics can enable compliance while delivering optimal user experience, without killing conversions. The convenience of iProov face biometrics drives user adoption rates.

    With the right solution, face biometric technology can provide 2FA/MFA that is secure, usable, inclusive, convenient, and respectful of a user’s privacy.

    Read more on:

    How can biometric face authentication defend against account takeover fraud in the gambling industry?

    Let’s say that a fraudster has managed to get a gambler’s password – perhaps it was leaked in a data breach. They then head to the gambling website and enter the stolen email address and password. Without 2FA/MFA, that would be enough for the bad actor to gain access and then lock the genuine account holder out by changing the password once they’re in.

    But if the gambling website has implemented MFA with iProov as part of their solution, the bad actor would be prompted to scan their face to authenticate themselves. The fraudster is now thwarted, as they can’t provide the right face. And even if the fraudster had a video or image of the legitimate account owner, iProov’s liveness detection would spot that it wasn’t the genuine person and block access.

    Essentially, iProov helps defend against account takeover fraud by ensuring that only the genuine account owner can gain access. iProov’s technology empowers organizations to safeguard users’ online accounts and ensure that accounts don’t end up under someone else’s control. And it does this in a way that’s convenient, inclusive, and simple for the end-user – meaning less drop-offs.

    How can biometric face authentication defend against proxy or messenger betting?

    In 2020, a Florida bettor used a proxy bettor to pass porous KYC/AML checks and placed a $3 million bet at a New Jersey sportsbook – one of America’s largest gambling hubs. The gambling operator was hit with a $150,000 proxy betting fine. 

    Stories such as these are common. Proxy betting – the act of placing a bet on someone else’s behalf – is prohibited in New Jersey.

    However, not all 2FA/MFA strategies will be enough to defend against proxy betting. Let’s take a password + OTP solution, for example. The legitimate owner could share their password and OTP code with the conspirator.

    Only iProov’s biometric face authentication can ensure that the person accessing the account is the genuine bona fide account owner. It defends against proxy betting because it ensures that the right person, real person, is authenticating right now. The only way it could be circumnavigated would be if the genuine owner was in the same room as the proxy bettor – which sigificantly limits the aims and advantages of proxy betting.

    How can gambling organizations benefit from biometric face verification?

    So far we’ve looked at biometric face authentication for 2FA/MFA in the gambling sector. But there are also other ways in which gambling firms can use face authentication:

    • Account creation and onboarding (facilitating KYC and AML checks): though the legislation in focus does not mention onboarding or KYC, this is still a key consideration for gambling organizations. To onboard a new user, you need to accurately verify the asserted identity against a photo from a trusted identity document (such as a driver’s license). iProov Dynamic Liveness is the safest way of verifying that a user is who they claim to be. Trust established at onboarding carries across the entire customer lifecycle, which will be crucial for keeping bad actors and fraudsters out of gambling sites further down the line. 
    • Identity recovery: If a gambling user loses their mobile device, or it breaks or gets stolen, they can lose the ability to authenticate themselves. iProov’s cloud-based identity verification enables them to securely access their account via any other device without needing to re-enroll.

    How does liveness help the online gambling sector?

    When using biometric authentication for 2FA/MFA, it is important to confirm that the individual on an online interaction is who they say they are. Liveness plays a crucial role here. Without liveness detection, a criminal would be able to spoof a system by presenting a photograph, video or mask to a camera. Essentially, liveness detection ensures that an online user is a real person. 

    iProov offers Express Liveness and Dynamic Liveness® to ensure that gambling organizations can effortlessly verify user identity and authenticate customers. Express Liveness confirms it is the right and real person, using both face matching and liveness detection as part of the solution. 

    Dynamic Liveness, iProov’s flagship product, offers unrivalled security compared with other liveness solutions. It verifies that a user is the right person, a real person, but it also verifies that they are authenticating right now. It does this using a one-time biometric delivered using our patented Flashmark™ technology which illuminates the remote user’s face with a unique, randomized sequence of colors that cannot be replayed or manipulated synthetically, preventing spoofing. 

    The iProov Security Operations Center (iSOC) is an integral part of GPA. It delivers active threat management, which provides resilience against sophisticated emerging attacks by combining advanced technology with responsive processes.

    Why is iProov best for 2FA/MFA for gambling organizations?

    A number of unique factors combine to make iProov the perfect solution for 2FA/MFA strategies: 

    • Proven security and usability: iProov is trusted by the world’s most security-conscious organizations, including the US Department of Homeland Security, and is utilized in other fast-paced industries ranging from government, financial services, cryptocurrency, travel, and more. 
    • Maximizes completion rates: Unlike other liveness vendors, iProov offers passive authentication. This enables customers to securely prove who they are with the minimum of effort.
    • Maximizes inclusivity: iProov delivers authentication irrespective of ethnicity or cognitive ability — there are no complex instructions to read, understand or execute, meaning all bona fide customers can access gambling services. 
    • Device and platform agnostic: There is no need for special hardware or sensors, as users can authenticate themselves on any device with a user-facing camera. This includes smartphones, laptops, desktops, tablets, or via kiosk terminals, which supports inclusivity.
    • Industry-leading performance: iProov delivers > 98% typical pass rates and 1.1 average number of attempts based on in-production results.
    • High level of accuracy: iProov delivers market-leading biometric authentication and anti-spoofing across a range of attacks; not just standard presentation attacks but also highly scalable injection attacks using deepfakes and replays.
    • Rapid deployment: Our compact SDK provides fast and easy integration with online portals or mobile apps. iProov is available on Web, iOS, and Android.
    • Cloud-based security: iProov does not rely on the user’s device for security, removing the risk from compromised devices or sensors. This maintains the integrity of the authentication process and can not be reverse-engineered by attackers.
    • Protects privacy: iProov uses a privacy firewall and strong encryption techniques to protect highly sensitive data such as face biometric to safeguard the user’s confidentiality.

    Gambling and face biometrics: a summary

    • The state of New Jersey has introduced new Two-Factor Authentication (2FA) and Multi-factor Authentication (MFA) regulations for gambling institutions.
    • 2FA and MFA can protect against account takeover fraud and proxy betting. 
    • Gambling organizations have several options for 2FA and MFA but face biometric authentication offers many advantages over other alternatives.
    • Liveness detection must be part of face biometric authentication.
    • iProov’s Express Liveness and Dynamic Liveness provide the best options. Only GPA can verify that a user is the right person, a real person and that they are authenticating right now.
    • Face biometrics can also be used by gambling organizations for onboarding, authentication, and identity recovery.

    If you’d like to see how iProov’s Dynamic Liveness technology can secure and streamline online customer onboarding and authentication in the gambling sector, book your iProov demo here.

    Biometric authentication for new jersey gambling laws - MFA and 2FA will stop proxy betting and Messenger betting