July 28 2022
Earlier this month, the state of New Jersey introduced new two-factor authentication (2FA) and multi-factor authentication (MFA) regulations for gambling institutions. The legislation states that any “authorized internet or mobile game” must implement 2FA or MFA.
The new legislation is designed to protect customers against online fraud. Strong authentication, like 2FA and MFA, defends against a number of fraud types – primarily account takeover fraud, whereby a legitimate user’s account is hijacked by fraudsters.
However, it’s crucial that implementing 2FA/MFA does not create a roadblock for online users. Gambling organizations do not want users abandoning their websites due to cumbersome authentication technology. Operators must choose a 2FA/MFA solution that prevents fraud without inconveniencing the user experience.
In this article, we’ll explain why and how facial biometric technology needs to be part of any 2FA or MFA solution for gambling organizations.
The new regulation, titled N.J.A.C. 13:69O-1.1 — which you can read here – defines multi-factor authentication as a type of strong authentication that uses two of the following to verify a patron’s identity:
This is the same as the ‘something you know’, ‘something you have’, and ‘something you are’ approach to Strong Customer Authentication (SCA) required under European regulation PSD2, which iProov has covered extensively – you can read more on SCA here.
Why has New Jersey brought in this legislation? There are several reasons:
The U.S. online gambling industry generated $3.71 billion in 2021, up 139% in 2020 and 614% from 2019 according to the American Gaming Association’s Commercial Gaming Revenue Tracker. New Jersey is a major gambling market and it’s likely that others will be looking to follow in the state’s footsteps.
Two factor authentication will only make use of two authentication factors to verify a patron’s identity – for example a password with face authentication. Multi-factor authentication makes use of at least two, if not more, factors.
The New Jersey legislation does not make recommendations for one over the other – just that gambling institutions must use at least two authentication factors moving forward.
There are several authentication methods that can be chosen as part of a 2FA/MFA strategy. Face biometric technology is ‘something you are’ and it offers many advantages over other options:
With the right solution, face biometric technology can provide 2FA/MFA that is secure, usable, inclusive, convenient, and respectful of a user’s privacy.
Read more on:
Let’s say that a fraudster has managed to get a gambler’s password – perhaps it was leaked in a data breach. They then head to the gambling website and enter the stolen email address and password. Without 2FA/MFA, that would be enough for the bad actor to gain access and then lock the genuine account holder out by changing the password once they’re in.
But if the gambling website has implemented MFA with iProov as part of their solution, the bad actor would be prompted to scan their face to authenticate themselves. The fraudster is now thwarted, as they can’t provide the right face. And even if the fraudster had a video or image of the legitimate account owner, iProov’s liveness detection would spot that it wasn’t the genuine person and block access.
Essentially, iProov helps defend against account takeover fraud by ensuring that only the genuine account owner can gain access. iProov’s technology empowers organizations to safeguard users’ online accounts and ensure that accounts don’t end up under someone else’s control. And it does this in a way that’s convenient, inclusive, and simple for the end-user – meaning less drop-offs.
In 2020, a Florida bettor used a proxy bettor to pass porous KYC/AML checks and placed a $3 million bet at a New Jersey sportsbook – one of America’s largest gambling hubs. The gambling operator was hit with a $150,000 proxy betting fine.
Stories such as these are common. Proxy betting – the act of placing a bet on someone else’s behalf – is prohibited in New Jersey.
However, not all 2FA/MFA strategies will be enough to defend against proxy betting. Let’s take a password + OTP solution, for example. The legitimate owner could share their password and OTP code with the conspirator.
Only iProov’s biometric face authentication can ensure that the person accessing the account is the genuine bona fide account owner. It defends against proxy betting because it ensures that the right person, real person, is authenticating right now. The only way it could be circumnavigated would be if the genuine owner was in the same room as the proxy bettor – which sigificantly limits the aims and advantages of proxy betting.
So far we’ve looked at biometric face authentication for 2FA/MFA in the gambling sector. But there are also other ways in which gambling firms can use face authentication:
When using biometric authentication for 2FA/MFA, it is important to confirm that the individual on an online interaction is who they say they are. Liveness plays a crucial role here. Without liveness detection, a criminal would be able to spoof a system by presenting a photograph, video or mask to a camera. Essentially, liveness detection ensures that an online user is a real person.
iProov offers Liveness Assurance™ and Genuine Presence Assurance® to ensure that gambling organizations can effortlessly verify user identity and authenticate customers. Liveness Assurance confirms it is the right and real person, using both face matching and liveness detection as part of the solution.
Genuine Presence Assurance, iProov’s flagship product, offers unrivalled security compared with other liveness solutions. It verifies that a user is the right person, a real person, but it also verifies that they are authenticating right now. It does this using a one-time biometric delivered using our patented Flashmark™ technology which illuminates the remote user’s face with a unique, randomized sequence of colors that cannot be replayed or manipulated synthetically, preventing spoofing.
The iProov Security Operations Center (iSOC) is an integral part of GPA. It delivers active threat management, which provides resilience against sophisticated emerging attacks by combining advanced technology with responsive processes.
A number of unique factors combine to make iProov the perfect solution for 2FA/MFA strategies:
If you’d like to see how iProov’s Genuine Presence Assurance technology can secure and streamline online customer onboarding and authentication in the gambling sector, book your iProov demo here.