Technology John Bertoli's post
The power of combining risk-based & continuous biometric authentication
MAR 15, 2018
Digital security and finance are seeing the rise of account fraud and large amounts of personal information being compromised. Financial institutions realize the shortcomings of basic passwords and OTPs and the growing need for biometric authentication, as well as continuous behavioral authentication, to bolster security and enable a BYOD-friendly and seamless user experience.
Erin: Hi everyone, I'm Erin Handel, co-founder of BankersHub, and I'd like to welcome you to today's webinar on the Power of Combining Risk-Based and Continuous Biometric Authentication in Financial Services. This webinar is brought to you by Samsung. So here's the plan for today: our presenters are going to take us through the issues and we'll take your questions at the end of the presentation. However, please feel free to send questions as they occur to you at any point throughout the presentation by going to the questions tab on your control panel and sending your questions in to the organizer. We'll send a copy of the presentation materials along with the playback link after the webinar.
So let's take a quick look at the agenda for today. We're going to start with speaker intros shortly. We're going to talk about the current state of digital security and finance. We're going to examine the adoption of biometrics in banking. We're going to learn what financial institutions need from a digital identity platform. We're going to cover continuous behavioral authentication in action. Then we're going to explore how Thomson Reuters is using biometrics and continuous authentication. Then we're going to address your questions and answers.
Now let me introduce our speakers. Rich Lobovsky is currently leading a team at Samsung SDSA, focused on providing mobility and security based enterprise software solutions to the financial services industry, including their FIDO compliant biometric solution. Rich is a member of SDSA's leadership team, which sets the overall strategy for the organization.
Erin: He is joined with Frances Zelazny, who is a seasoned marketing strategist and business development professional with nearly 20 years of experience with startup companies. Frances currently serves as the Vice President of Marketing at BioCatch. Finally, we're going to also hear from Jennifer Singh, who currently serves as Senior Director with the Digital Identity Solution Group where she is incubating a new business identity verification services for Thomson Reuters. Jen currently leads product management and strategy, focusing on aspects such as commercial strategy, business development, product strategy, partnerships, and go to market strategies for new business. Rich, you're our first speaker today and the floor is yours.
Rich: Thank you very much, Erin, and welcome everybody. Thank you all for taking the time to join us for this webinar. We're going to talk a little bit about what's happening with biometric authentication. What we're seeing in the financial services industry is a significant uptake in the adoption of biometrics for a variety of different types of applications, whether they be consumer driven applications or employee-driven applications. You can see on the left screen that we expect nearly a 40% compound annual growth rate in the adoption of biometrics between 2015 and '24. And we're seeing this increase for a couple of different reasons.
One is that there's a greater proliferation of biometric sensors that are coming with devices out-of-the-box, so obviously most phones have cameras for facial recognition and they have microphones for voice recognition. Many of these phones also have fingerprint sensors. But now what you're seeing is things like infrared cameras being embedded into new devices that will enable iris-based recognition. And we're seeing a lot of other different types of modalities that are coming to bear here in this particular space.
Another reason we're seeing an increase is that organizations are starting to look at the distinction between what we characterize as enterprise grade biometrics versus consumer grade biometrics. So to spend a minute on that, if everyone's familiar with the Face ID and Touch ID from Apple or they're familiar with Android's local form of biometric authentication, these are out-of-the-box biometric authentication solutions that are really primarily meant for convenience versus security. They enable a user to log into a app, they enable a user to get into their phone instead of using a password or a pin code or swipe, and they can use a biometric. But what we're talking about is consumer grade biometrics, nothing ever leaves the device.
With enterprise grade biometrics, we're seeing a much more secure platform and it's based on public and private key cryptography. So every time a biometric modality is enrolled, a unique key pair is created. And that private key and public key that are created have to do a handshake every time a subsequent authentication request comes through. And the public key actually resides on an enterprise server behind the firewall, whereas the private key and the biometric credentials stay on the device and never leave the device, and that's all part of what we call the FIDO, or Fast Identity Online standard. So every time an authentication request happens, there's that handshake between the private and the public key and we think of that as an extra layer of validation because of the key sitting on that server behind a firewall. So again, we think that the advent of enterprise grade biometrics is also going to significantly contribute to the adoption that we expect over the next 5 to 10 years.
Some of the uses that enterprises are looking at for biometrics include things like enabling functionality through mobile applications; whether it be logins, doing step up authentications to verify various transactions, and being able to stratify the types of authentication that a user might have to do based on the risk of the transaction that that user's trying to execute within the application. And then finally we're seeing more and more corporate or employee uses of biometrics in exchange for passwords because of the challenge that passwords create for all of us.
So what we're seeing is a positive impact on security and the overall user experience. So looking at a survey done by Visa last year, more than 85% of those surveyed expressed interest in using biometrics to either verify for identity to make payments. Nearly three quarters of people are saying that they believe biometrics are easier to use than passwords and nearly half of those that were surveyed think that biometrics are more secure than using passwords or PIN’s. And we've seen comments come out from organizations like NIST who are saying that the use of OTP’s through SMS is inherently insecure and this is another area that we think there's opportunity for the implementation of biometrics in those particular use cases.
So you know, today what we see is a lot of usage of KBA or Knowledge Based Authentication. I'm sure everyone's familiar with this. When you're talking to a financial institution, they ask you for the last four digits of your social or your mother's maiden name or what your favorite pet or what concert you attended. You know, those are all called Knowledge Based Authentication. And the challenge with KBA these days is that it's pretty easy for hackers to find this information using social networking and other means. And so this information, it's really kind of out there already, and it shouldn't really be used as a primary means for authentication. We see the value in using KBA as a way to sort of enhance other forms of authentication, biometric authentication, but in and of itself, KBA by itself is becoming more and more risky in our opinion, to use. Also, this information can be acquired, if hackers can't get to it through regular means of social media, they can go out and sometimes buy this information. And so we think that KBA is always gonna have some sort of utility, but it really is becoming more and more insecure as using it as a primary means for authentication.
So as we're out there talking to organizations in the financial services and other industries, biometric authentication is a critical part, but what we're really seeing is a broader interest in this whole area of digital identity. And so when you think about somebody trying to secure a loan from a bank, they typically go into a bank in person, and they present their identification to prove who they are. So we've actually replaced that process with a digital form of ID verification where an individual can use their phone, take a picture of the front and back side of their passport, take a picture of themselves, a selfie, and submit that information through a portal. And then there's algorithms in the back end that analyze the validity of all the secure elements of that particular government-issued ID, it can detect any sort of fraudulent activity in terms of modifying that or creating paper based versions of that ID. It also takes a look at the image that the individual took with a selfie and compares that to the image on the government issued ID and, through the analysis of those two things, can produce a confidence score for the financial institution saying, “based on the document and the image of the individual, we're 95% confident the person is who they say they are,” and that enables them to go into the next step of that onboarding process. Obviously we're talking a lot today about risk-based biometric authentication and the combination of that with continuous behavioral biometric authentication, but then the last leg of that stool is really a digital means for onboarding that customer today.
So instead of having an individual having to go into a bank to secure that loan, they could actually initiate a secure video session remotely with that loan officer in the call center of that bank, be able to review an application form online, and be able to digitally sign that application form. And now you've essentially streamlined the entire process of onboarding that new customer. And that's a significant issue for financial institutions who today experience abandonment rates for online applications up near 75%. So we think that this entire ecosystem of ID verification, two different forms of biometric authentication and digital onboarding creates a very compelling model for a financial institution that's looking to go from manual paper-based processes that are in place today to more streamlined digital processes.
Now we think of this both for mobile and for web-based applications. So traditionally these kinds of solutions would be embedded into a native mobile app, both let's say Android and iOS apps, but we also look at this for web based applications with the model of using a mobile device as a means for an out of band biometric authentication into or within a web-based application. So imagine you're sitting in a banking, web-based banking portal, and you try to transact on something. You get a notification to your phone and it asks you to input a particular biometric modality. You input that into the phone, that authentication gets then pushed back to the web-based server and it authenticates you into the app or within the app. It's a pretty common model that we've deployed with numerous clients and having the ability to do both mobile and web is important because most financial institutions are playing in both domains. So we see use cases for mobile and online payments, banking, trading. We've got a use case around a cardless, PIN-less ATM transaction, call center based authentication. So there's really several different types of use cases that we see with respect to biometric authentication.
So this is just a real, sort of high level overview of Samsung's Nexsign FIDO certified biometric authentication solution. As I mentioned, this incorporates all of the sort of elements that I spoke about here with respect to supporting the mobile native applications in Android and iOS as well as web-based applications. So I don't want to spend too much time on this particular graphic, but if folks are interested in learning more about Samsung solutions in the space, we can certainly schedule some subsequent discussions.
What we're really seeing is this very, very powerful combination between the usage of risk-based authentication and continuous behavioral biometric authentication. So if you think about the use of fingerprint or face or voice in the construct of the use of a mobile app, an individual will be intermittently challenged based on the risk of what they're trying to achieve within that application. So you can imagine if somebody does a simple, $100 transfer, maybe they're asked for a fingerprint. But, if they want to do a $5,000 international transfer, they may be asked for multiple modalities, a combination of modalities to authenticate through that transaction. So that challenge happens intermittently based on what that user is trying to achieve and based on the risk of what they're trying to achieve.
Now you combine that with continuous behavioral biometric authentication, which I'm going to turn over here in a second to my colleague Frances to talk more about, but you take that sort of continuous monitoring from a security perspective, from a behavioral perspective, you add that to the risk based intermittent model and we really feel that that combination is incredibly powerful model by which financial institutions can robustly implement biometric authentication across their applications. So with that, I'm going to turn it over to Frances who will go deeper with you on the behavioral biometric authentication.
Frances: Thank you so much. Rich, I'm really excited to be here. This is a really important topic when we consider what's going on in the world of identity today and the implications that strong identity has on the way we interact online. So for those of you who are not familiar with BioCatch, we are a behavioral biometrics company. We've been around since 2011 and we monitor more than 5 billion transactions per month, working across the world with tier one financial institutions. And we enable increased trust and strong identity in the online world and we work with many practitioners who are authentication folks, guard folks, digital identity folks, product managers on the digital channel who are thinking about how to enhance the user experience while providing significant levels of security and trust in the environment. And when we have these conversations, we're really looking at the full circle of identity, which begins with the KYC, the creation of the identity inside the system or the enrollment and when you consider that more than 9 billion transactions have been stolen since 2013, the main challenge when we're bringing somebody new into an environment is to figure out whether they are who they claim to be even though they have all the right data elements. So no longer is somebody's first name, last name, text name, sixth grade teacher's name a validation of their identity. We now require an extra layer, a dynamic layer that goes beyond the static information in order to make sure that somebody isn't using stolen or made up information. So that's the first challenge that digital identity providers have to think about.
The second one is an extension of what Rich was just talking about, the biometric authentication. So there are many, many ways to authenticate identity at the beginning of a transaction and biometrics really is only one, however, that will tie a user to a particular identity in a way that doesn't have repudiation down the line. A device, for example, does not equate to identity, a token does not equate to a user identity. Only biometrics are actually tied to a particular user. And even with traditional biometrics at the login process, there is a big gap between knowing that the person that logs in is actually the legitimate user throughout the whole session. This is what Rich was leading to with regards to continuous authentication. So because of all of the hacks and all of the breaches that are out there fraudsters are using very advanced techniques to trick people into letting them inside sessions to download malware that will activate after a particular login. And so continuous authentication is the only way to make sure that that hasn't happened, that there hasn't been an account takeover by another person or another thing during the session. And altogether these are the three main challenges that digital identity providers are looking to maintain and all of it with the eye towards the user experience.
And the reason that it mattered, and this is a very surprising statistic to most people, is that 100% of the fraud is done in authenticated sessions. So this means after the password, after the token, after the SMS, because most of those things are done with legitimate credentials. Somebody stole your password. So the password is correct. Somebody was able to intercept the SMS code to the phone number so the SMS code is correct. And oftentimes you'll find, and we'll explain again like I alluded to it, but you need somebody who can login with their physical biometrics, but because of social engineering, malware, robotic attacks and other things, the fraudster could be working on the other side.
And so when we talk about continuous authentication, there aren't many ways in order to achieve that. Behavioral biometrics is one of the only ways that I'm familiar with how you do this, and behavioral biometrics works in the background, monitoring three categories of activities. The first one is your physical behavior. So these are things that are related to the size and the shape of your hand that impacts your physical behaviors on a device or on a keyboard. So that is you're right handed, left handed. The size and shape of your fingers will affect your scroll, where you touch the screen, how hard you press, whether you have a hand tremor or not. Your cognitive behaviors are things that are related to preferences, how you've toggled between fields. So for example, Rich may use the tab key to go from one field to another, Jen might use the enter key and I might actually put the cursor where it needs to go.
And the third category of behavior is your response patterns. So something unique to BioCatch is called invisible challenges, these are a set of tests that are built into the session that a user doesn't feel and it doesn't interrupt the user flow, but that elicit responses. So for example, the mouse can freeze for several seconds and that will make different people react in different ways. So some people may move the mouse from side to side, other people may start typing their name, other people may just hit a key repeatedly, and all these things, the way a person responds is sort of a reflex, but from a behavioral perspective, it helps to distinguish one user from another, and it also helps to distinguish a user from a robotic attack or a piece of malware or even a remote access attack where there's two people inside a session at the same time. And what's very interesting and compelling about behavioral biometrics on top of all of this is that it's completely anonymized and that everybody's profiles is based on different parameters and not rely on any form of PII. So in the world of privacy and GDPR and all of these regulations, this was a very compelling layer to add on top of the existing authentication protocol.
Now we want to look at visualization of what's different when you just have a user login and then you have behavioral biometrics running in the background. So the top row is essentially showing what happens when you just have a static authentication. So the user would log in with any technique and essentially the session is assumed to be legitimate throughout. Sometimes if the transaction is over a certain amount, you might ask for another authentication. Sometimes if the location is not recognized, you might ask for an additional authentication or stop the actual transaction. These are all friction. This introduces friction into the user experience and we all know as users and consumers ourselves, that we don't like friction. We want to reduce friction while we add security. So the second line is showing with behavioral biometrics running in the background, you can have that security throughout without adding additional friction into the user experience. Now we're going to get into what it looks like in the actual real world.
So if you're a legitimate user sitting at a restaurant and you want to use Venmo, for example and pay your friend for half the check, you would typically login to an account, you would hit the money transfer on the bottom, pick your recipient, you will type in the amount, you'll type in the memo, swipe to approve the transfer, and then it will go through. So no difference in the user experience, you're not asking for an additional authentication or any other interruption or mode separate from what's in the actual flow and the money is transferred.
Now we'll see what happens when there is a fraudster. And it should be noted that it's more common and more likely that a fraudster will take over a session or take over an account they got via social engineering or malware than actually steal your phone. So in this scenario, a fraudster hacked into an account, they were able to get in with the credentials, they would hit transfer, select the recipient, type an amount, enter the memo, and swipe and the system in this case recognizes that it's not the legitimate user and it asks for a second authentication. In this case, it's the fingerprint and at that point the transaction would stop. So this is essentially showing again the security with the user experience and Jen will take it from here to explain how Thomson Reuters are putting it all together.
Jen: Thanks Frances. So today I'm going to share a few examples of how we're using biometric capabilities within our own fleet of products at Thomson Reuters. So for those of you who aren't familiar with Thomson Reuters, we're a global news and information organization. We primarily serve B2B markets, including professionals in the financial services, risk, legal, tax and accounting and media verticals. And of course we're also well-known for our Reuters News Agency.
I'm with the Digital Identity Solutions team within Thomson Reuters. Our goal is to create new products and services to help our customers overcome the challenge of verifying and authenticating identities, especially in digital channels. And their main goal is to reduce risk, prevent fraud, and ultimately drive revenue growth for our customers. So our focus is on rethinking identity verification in order to balance both security and convenience for our financial services customers and ultimately their end users at the end of the day.
I have a few examples of how we've begun incorporating Samsung Nexsign biometric capabilities into our product portfolio to address a number of different use cases. On the left side, you'll see that we've incorporated biometric authentication into our flagship product such as our financial services product named Eikon, and this is a replacement for passwords in a basic login authentication scenario as well as we've incorporated other enhanced privacy controls. A lot of our users are people like traders, risk managers, financial services professionals that often are doing things on their screens that they don't want other people to see. And so we've also enabled facial biometrics, whereby it will recognize your face as the user. But if your face isn't recognized, the screen is actually going to blur over or in another scenario, if someone comes up behind you and another person's face is captured in addition to your own, it will also blur over the screen. So that provides enhanced security so that you don't have anyone looking over your shoulder or someone coming up to your desk when you're not there.
So far, we've received excellent feedback from our customers who really appreciate the simplicity and protection that biometric authentication provides. On the other side of the screen, you'll notice that we've also incorporated biometric authentication into our digital identity innovations to provide enhanced ongoing assurances so that our customers know who they're doing business with. One use case that we're exploring is within the onboarding or a sign up process for new accounts. So as Rich described earlier, users can digitize and upload copies of their government documentation like a passport or a driver's license. And we can provide extra assurance around the person's identity by using facial recognition to link a real time video of the person to the picture on their document. Our platform will then go further in addition to the document onboarding to actually take the attributes off of that document and compare the biographical information against trusted data sources in order to verify that information and issue a valid identity for a user allowing that user to then get access to new services.
In another use case, we're also using biometric authentication for high risk transactions. So say for example, I'm trying to buy something online, maybe it's a high dollar amount transaction, $4,000, $5,000, and for some reason either I, as a user or the financial institution has set a rule in the platform that says for these high risk or high dollar transactions, I'm going to require extra assurance that that user is who they say they are. Historically, a financial institution might have called you, put the transaction on hold, given you a call, sent you a text message or an email asking you to verify your identity. But in this scenario, instead we'll push notification to your mobile device and ask you to authenticate with a fingerprint or facial recognition or some other type of biometric modality.
It is a much more seamless experience for end users while still protecting the financial institution from fraud. The big takeaway is that our customers are constantly trying to balance adding friction to the identity verification process versus providing a streamlined customer experience. Many have started asking for behavioral biometric authentication capabilities which can provide those needed protections without interrupting the customer experience. So if we go back to the high risk transaction use case, we've heard from a specific customer that they want to completely avoid push notifications because any lag in a transaction could impact abandon rates and their ultimate share of the wallet with their consumers. So instead they're looking at continuous authentication via behavioral biometric capabilities in order to achieve both the required security thresholds that might be required by their risk managers, but ultimately drive more revenue for their business.
So overall across Thomson Reuters and our customer groups, we're really seeing an increasing awareness and demand for biometric capabilities, whether it's risk-based, continuous authentication or a combination of both. I expect us to continually innovate new product enhancements and solutions, really leveraging these biometric capabilities across our entire TR portfolio. So with that, I'm going to hand it back to Erin.
Erin: Great. Thank you so much to Jen, Frances and Rich. Folks, we're going to launch into our Q&A session now. The first question, can you elaborate on other use cases for risk-based authentication solutions such as Nexsign?
Rich: Yeah, sure. So I briefly alluded to a couple of additional use cases. But I'm going to go into a little bit of detail. We've done a lot of work with Diebold, which is the largest ATM manufacturer in the world now with their recent acquisition of Nixdorf in Germany and we've done some co-innovation around an ATM transaction that doesn't require the use of a card or a PIN. So the use case is that an individual would stage, let's say a cash withdrawal from their mobile banking application and they can do that wherever they are. And then when they get to the ATM, there's a NFC or Near Field Communications link that occurs between the mobile device and the ATM itself. And then that staged transaction comes up in the queue and in order to execute on that transaction, the user is challenged to provide a facial scan. They use their mobile device and the camera on their mobile device to capture their face. That authentication then gets pushed up to the ATM server in the cloud, authenticates the user at the ATM and disburses the cash.
So we've seen PIN-less ATM models from banks like Wells Fargo and Bank of America, but in both of those cases, that requires the use of an SMS-based OTP. In the case of Wells Fargo, it also requires the use of a PIN. So we feel that's kind of a clunkier user experience. Implementing biometrics in the model that we've implemented with Diebold kind of streamlines and improves that user experience.
One other thing I'll mention is around the call center that I briefly alluded to. So a lot of banks are experiencing fraud in their call centers. And so they're looking for advanced authentication procedures or protocols to implement within that call center. So a lot of times in call centers they use KBA, which we talked about here earlier. But another model that we're starting to implement is the use of biometric authentication using a mobile device. So when an individual calls into a call center and instead of being asked KBA questions, there's an alert that's pushed to their mobile device, an authentication request comes up on that mobile device. They input their fingerprint or face or voice, whatever they're asked for, that authentication then gets pushed back into the call center system and the call center agent can see that the user authenticates with the biometric and then they can get on with the business of that particular interaction. So those are a couple of different use cases that we're seeing some interest in throughout the market.
Erin: Great. Thank you so much Rich. We've got another question that's come in. What are the open areas in behavioral biometrics for financial services that still require significant research work in both theory and practice?
Frances: I guess I'll take that question. That's an excellent question. There's a lot of ongoing work in behavioral biometrics, particularly in the ability to capture more and more parameters. In the beginning there were several hundred parameters only that we're capturing on the web. Now we're up to several thousand in the mobile. So the more parameters that we're able to capture, the better, the more accuracy and more use cases that we're able to address. One of the newer use cases beyond the continuous authentication is in the identity proofing, which I alluded to around KYC and expanding beyond understanding different environments. So behavioral biometrics really came to be in the financial services arena and as those bigger and more broader data sets, there's going to be work to apply that learning into other sectors.
Erin: Great. Thank you so much, Frances. We've got another question that's come in. Other than fingerprint or facial scan, what are other examples of biometrics that could be used for authenticating? Are there any stats on accuracy of this technology?
Rich: So I'll take that one. So obviously voice is another big one that's been around for quite some time. I think some of the newer modalities that you're starting to see are with respect to the use of the eyes. So I mentioned iris-based authentication earlier and that's within the Samsung world, we released that with I believe it was the Galaxy S8 and the Note8 that was released last year, and now the S9 that's being released now and the Note9 will also have iris-based biometric authentication and that's done because there's an infrared camera included in the device now.
Another modality that we are currently working on is around palm. Everybody has unique line configurations in their palm and you can use the camera on the phone to actually capture an image of your palm and use that for authentication. So we've seen palm-based authentication being used in places like Brazil where there's quite a bit of concerns around physical security. This is a fairly new modality that we're seeing interest here in the US and North American market. But those are two examples. We've also seen things like pulse rate and heart rate. So there's a bunch of new innovations that are being worked on right now to bring other modalities. I think there's still the least common denominator is fingerprint, but there are some challenges in the sense that with things like voice and face you can do liveness check and spoofness check with a different number of different techniques. It's a little bit harder to do that with a fingerprint. So we're seeing a lot more interest in things like facial recognition, which obviously Apple has transitioned from a Touch ID to Face ID. So yeah, we're going to continue to see some new innovations in this space and as an aggregator we're looking, constantly looking into the market to see where it might make sense to apply some of these new modalities into our platform. And then we essentially create a FIDO wrapper around those authentication engines and we're able to then integrate that into our platform and offer that to our clients.
Erin: Great. Thank you Rich. And audience, thank you for these great questions. Next question, could you provide an example of variables or risk factors considered in the continuous bio authentication
Frances: What are the risk factors? Okay. So as we all behave in unique ways and we all interact in different ways, some of the things that the system is looking for is looking for behavioral anomalies. So I gave an example of the visible challenges, which is a way to extract anomalies. I mean maybe it may not be as obvious in the system, but very easy to explain. So we all will respond to challenges in a different way. One example that I gave during my presentation was the mouse. Another example of a challenge is the spinning wheel. So if you're on a mobile device and you are entering a credit card, the wheel could be made to spin faster or slower and that will elicit a different response as well from different people. So some people might scroll all the way down and then go back up to where they want to go and other people may force the wheel to go slower so that they can, in more deliberate movements, so that they get to where they want to go on the wheel. So this is also not only distinguishing one person from another, but a robot for example, won't be able to respond at all. If there was a remote access attack and there are two people inside a session, you'd be able to detect that. So these are the kinds of anomalies that the system is looking for.
Erin: Great. Thank you so much Frances. We've got another great question. Is behavioral DNA or a biometric profile built but only using an application device as a user would normally, or are there prompts upon onboarding that contribute to the creation of that profile?
Frances: One of the most compelling things about behavioral, as I mentioned, is that it doesn't require any change in the user experience and that includes the onboarding as well. So the system will pick up user behavior from the very beginning and will improve and learn as it goes along. Those who have deep learning applied to it so the profile gets stronger and stronger over time. It's also important to note that even when no profile exists, when you're starting out in the very beginning, there's still a value to recognize a malware, robotic activity, remote access to text again, and so all of these things are available through the biometric modality from the get go and then you have the actual authentication and the profile matching happening over time. The profile was actually created after about 10 minutes of activity, so for users that are doing their online banking, which typically will happen within a week.
Erin: Great. Thanks so much. We've got another great question here. How does face recognition handle folks losing or gaining weight?
Rich: Unless there's a drastic, drastic gain in weight where it really changes the individual's, their face, there shouldn't be any issue. If there was an issue, then the individual would merely have to re-enroll their face as a new modality. And I've never seen that actually happen before. Not to say that it couldn't happen if someone loses 200, 300 pounds or gained that much weight, but again, the way to address it would be just to be to re-enroll.
Jen: And Rich, just to add to that, you know, I've found that the facial recognition is very strong even when someone's wearing a pair of glasses or a hat compared to not having that in their photo. And most facial recognition engines are tuned to also age changes as well. So a lot of times passport photos, for example, can last in the United States up to 10 years before you have to get a new passport. So a lot of facial recognition has been tuned to recognize that aging change over time and it's pretty smart.
Erin: Great. Thank you so much Rich and Jen. Next question. In the case your fingerprints and your facial biometric have been compromised, what are the options for the end user to authenticate?
Rich: So a lot of this depends upon how the financial institution implements biometric authentication. So, in one regard, they can create policies that require a user to use specific modalities based on what that user's trying to achieve within the flow of that application. In other cases, a financial institution may just leave it up to the user and say, ''You know, we're going to provide you with options for, you know, some number of modalities to use and you can choose what to use when you want to use it.'' So, if in the case of the latter where the user has the option, one particular modality has been compromised and the user can merely just choose to use another modality. If it's in the former case where the financial institutions create a policy that requires a specific modality and that particular biometrics somehow has been compromised, then again the user would probably need to re-enroll that particular modality and start from fresh with that particular modality.
Erin: Thanks Rich. Next question. With the assumption that the behavioral profile is constantly being updated, how do you ensure that that data is not consumed into the behavioral profile prior to a customer reaching a point of check within existing customer flows?
Frances: I'm going to try to answer the question. I'm not sure I got it 100%, but I think if I can rephrase the question and then I'll answer it. If the profile hasn't been established, how effective is it in managing continuous authentication inside the session? So the profile is established after 10 minutes of concurrent activity, which in our corporate banking environment, typically that happens in one session in a retail consumer banking environment that could happen over several sessions. From the get go however, there are behavioral threats, so threat detection, that can be picked up. These are things like malware, robotic activity, multiple people in an account. And these anomalies are detected not by matching against existing malware files, or checking against bad IP addresses or blacklisted devices, this is really analyzing the behavior inside the session.
So again, back to invisible challenges. One challenge could be to drag the mouse by several degrees. And in that case, you would have to have, in order to compensate, a human would use their hand-eye coordination to put the cursor where they would want to go. Whereas a robot would end up in no man's land, it wouldn't be able to complete the challenge. Similarly, if there were two people inside a session or two things do a person on a thing inside a session, we'd be able to detect that kind of an attack. So while the profile is being established and optimized, there's still behavioral anomalies that can be detected and identified to stop fraud in real time.
Erin: Great. Thank you Frances. Next question. How do you go about adding new biometric authentication engines to your platform?
Rich: So you know as I mentioned, we're constantly looking into the market, talking to financial institutions and companies outside the financial industry about what the interest level is, where there could be value in delivering different types of modalities based on specific use cases. So, based on that information, we go out, sometimes some of our technology is developed here at Samsung, some of it we work with partners, but essentially if we find a modality that we're interested in integrating into our platform, we need to make sure that that biometric authentication engine is FIDO compliant. And so if it's not FIDO compliant, we have to sort of, for lack of a better term, we have to create a FIDO wrapper around that authentication engine so it meets the standards by which the FIDO protocol is mandated and then we create that wrapper and then we basically get it tied into our platform. So it's not a very heavy lift for us. I mean, it does take a little bit of time, but you know, it's sort of like a month or two of integration and testing, etc. It's not a three to six months heavy lift for us at all. So we really look at what our clients are demanding, where we think we can bring value with enhanced modalities and then go after offering that in sort of a staged way. So today, we offer fingerprint, face and voice out-of-the-box and then iris and palm we're working on, in terms of that integration into the platform. And those modalities should be available late this quarter, early next quarter.
Erin: Great. Thank you, Rich. Next question, how long does it take to develop a behavioral biometrics profile?
Frances: It takes 10 minutes of concurrent activities to create the profile, which can be done either in one session or in multiple sessions.
Erin: Great. Next question. How does behavioral biometrics fit into the FIDO framework?
Frances: Behavioral biometrics is very complementary with FIDO. FIDO essentially is the standard for the way biometric templates are stored on a device and typically sent to a server at the institution as Rich explained earlier, and usually because the FIDO framework is called on for physical biometrics, they're deployed for the initial logon and sometimes, as Rich and I explained earlier, for specific types of transactions of a certain higher dollar amount or whatnot, behavioral biometrics works inside a session after the logon and enables the FIDO to be called on if a step up authentication is required. So you would, let's say log in with a fingerprint or a face or iris, the behavioral kicks in after the login monitors throughout. If an anomaly is detected an alert goes to the next sign system which triggers the FIDO based authentication using one of the physical...more of the physical modalities to be established. Again, Rich, you may want to elaborate.
Rich: Okay. I think given we have about four minutes, I think I'll leave that there because there may be another question or two we want to squeeze in here.
Erin: All right. We are down to our last question. How does biometric authentication affect a financial institution's profitability? Are traditional methods for authentication more costly?
Rich: So we believe that the implementation of biometrics has actually a positive impact on a financial institution's profitability. So basically if you look at something like the use of RSA tokens in an institution for authentication, now I'm pulling up an employee use case here, we found that hard tokens can be as costly as $20 to $30 a year, maybe they get down into the teens. For a typical biometric authentication implementation, our model is a subscription based model at the lowest tiers of usage, so you're looking at sort of a $6 to $8 per user per year type of cost associated with that. So we think we can cut a financial institution's cost primarily in half or close to in half when replacing, let's say, hard tokens with biometric authentication.
The other thing that we see out there is the use of OTP. Now I don't have statistics on what an OTP service costs, so I couldn't really confidently say that biometric authentication is more sort of cost effective, but I would gather to say that it's at least as cost effective if not more. So again there are ways to sort of be flexible in terms of how to implement this. So we think in general and we do think that financial institutions can justify some level of upcharge for enhancements to feature functionality and user experience through the use of biometrics. So we think that even some of that cost might even be recoverable through small increments in user fees, but in general I think our stance would be that it does have a positive impact on profitability.
Erin: Great. Well thank you so much to Samsung for putting this fantastic presentation together. I want to thank our speakers also, Rich Lobovsky from Samsung SDSA, Frances Zelazny from BioCatch and Jennifer Singh from Thomson Reuters. Folks, thank you for joining us today. We hope you have a wonderful day and we look forward to seeing you at another event soon.
Whether you're looking for a specific business solution or just need some questions answered, we're here to help.