What is MFA?

Multi-Factor Authentication (MFA) is an authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism.

Multi-factor authentication can drastically reduce the incidence of online identity theft and other online fraud because the victim's password is no longer enough to give a thief permanent access to your customer's information. However, many multi-factor authentication approaches remain vulnerable to phishing, man-in-the-browser, and man-in-the-middle attacks. Multi-Factor Authentication (MFA) is especially susceptible to phishing attacks, particularly in SMS and e-mails.

Typically MFA uses 2 or more of the following legacy factors:

  • Something the user has
  • Something the user knows
  • Somewhere the user is
  • Something the user does

Verified addresses another factor that is inherent to the authentic identity of the user:

  • Something the user is

A user's biometrics provide a level of certainty that is extremely difficult to falsify. A password may be compromised and sold on the dark web, knowledge-based questions may be mined from sources like social media, and devices may be lost or stolen. Compared to other verification techniques, a person's biometrics are more distinctive and available in almost every situation.

When there is a requirement for further verification because of an unusual or high-risk incident, multi-factor authentication is common.

Find the below typical use case scenarios include:

Use CaseDescription
Account recoveryIf a user forgets login credentials or is logging in from an unknown device.
Password ResetIf a user lost or forgotten the password, and or the password expired based on the security policy.
Step-up AuthenticationIf a user is attempting to perform high-risk transactions or is exhibiting anomalous behavior, e.g., a large wire transfer or a purchase in a new geographic location where they have not previously done business.
Application AccessAccess applications without a password.
Building AccessGain access to buildings.
Tourist ServicesCheck-in for tourist services.

Each of these examples represents an event where there is a high likelihood of fraudulent activity or a high-risk activity that justifies a step up to an additional level of authentication.

What is Biometric Authentication?

Biometrics are unique physical characteristics, such as facial structures or fingerprints, that can be used for automated recognition. A biometric is a measurable biological (anatomical and physiological) and behavioral characteristic that can be used for automated recognition.

Biometric facial matching is a technology capable of identifying or verifying a subject through an image, video, or any audiovisual element of their face against a representative biometric template. It uses measurements of the body, in this case, face and head, to verify the identity of a person through its facial pattern and related measurements. The technology collects a set of unique biometric data of each person associated with their face and facial expression to identify, verify, and authenticate a person.

Facial authentication solutions help ensure that only legitimate users are creating and accessing their online accounts — not some fraudster who has stolen the credentials or ID documents of identity theft victims off the dark web. Another key benefit of facial authentication is that businesses can leverage the same biometric data (i.e., a certified 3D face map) captured during enrollment and repurpose that same biometric for future authentication events. This means they can use the same solution for identity proofing and for ongoing user authentication.

What if a user is on a device that does not have a camera?

authID's web client service will automatically identify when the User's device does not have a camera. authID's service will present these users with a unique QR code (containing the specific Verified transaction information) and instruct the users to scan the QR code with any mobile device (with a camera). The Verified transaction will launch in the web browser of the User's mobile device where the User can take a selfie and complete their authentication. The status of the verified transaction on the mobile device will be monitored. Once completed the User can return to the original device to continue using your online platform/application.

How is Verified different from Apple FaceID?

Verified is a multi-factor cloud-based authentication service that verifies an account owner's identity using facial biometric matching in the cloud (something the user is) to allow consent to a transaction, e.g., recover/modify a forgotten password, and verify the identity of the account holder. Verified provides a biometric audit trail of all transactions that prove identities were duly verified. Verified authentication is portable to other devices, and the user is not restricted to using only a registered device to authenticate their identity.

Apple FaceID, however, is a device-based authentication that verifies that the registered device owner is present by matching the live image with the reference image stored in the device. Through this authentication, the user can manage existing account passwords and other credentials on their registered device. With FaceID, if users change devices or forget a password, they are still required to authenticate using insecure one-time passwords or answering secret questions (that have possibly been breached) or by costing you more when they speak with a customer service agent to recover account access.

FaceID authentication is restricted to that device and is not portable to other devices. Finally, FaceID does not stop device and account takeovers or SIM swaps that can still hurt your users and your enterprise. Someone else can register their face to a user's phone, and use their face to log into your user's accounts—and your platform will never know. FaceID does not provide a biometric audit trail of which face was used to authenticate a user for a specific transaction.

How does authID protect against presentation attacks?

The authID platform provides two stages of presentation attack detection. The first stage utilizes active liveness in the form of a smile to initiate the capture of the selfie image. Once the selfie capture process is initiated the application will capture a series of frames to determine which frame has the optimal image quality for facial biometric matching and for processing through our second stage ISO 30107-3 Presentation Attack Detection (PAD) Level 2 compliant single frame passive liveness algorithm. This second stage PAD algorithm analyzes each pixel of the single frame to identify anomalies that would be present during spoofing attempts using a mask, picture, video playback, etc.

What is the difference between "Facial Recognition" and "Facial Matching"

authID provides solutions that leverage Facial Matching not Facial Recognition.

Facial Recognition uses a "One-to-Many" search, comparing a user photograph to a database of faces. It is used for Identification and is often performed without the cooperation or consent of the person(s). Facial Recognition is commonly used for law enforcement, identifying missing persons, and location security for retail, casinos, clubs, etc.

Facial Matching as provided by authID performs a "One-to-One" match, comparing a person's selfie to a photo ID or stored facial biometric template the same person provided as proof of their identity. Facial Matching is used for Identity Verification and relies on unique biological characteristics to confirm the identity of the person is who they claim to be. authID's service requires the user to provide consent to the identity verification process.

What is the impact of racial bias on Biometric Matching (or authID service)?

Independent study (NIST)

Data is taken from the NIST FRVT test, for the Visa and Border dataset comparison.

  1. The failure to acquire rate does not depend on any demographic group, the technology requires sufficient lighting conditions and the absence of certain artifacts in the image. According to NIST results, the FTA is between 0.0001 for the Visa dataset and 0.0002 for the Border dataset.
  2. authID uses the same quality threshold to process images during enrollment and verification, therefore the Failure to Enroll Rate (FTE) is the same as the Failure to Acquire Rate (FTA)
  3. The system is configured with a threshold for a global False Match Rate (FMR) of 0.0001 and False Non-Match Rate (FNMR) between 0.0013(Visa-Visa dataset) and 0.00654 (Border-Border) dataset.
    • False Match Rate when comparing pairs of images of people from the same region (i.e., North Africa region, European Region, Middle East, etc.) can go up to 0.0005 depending on the region. The region is determined based on the declared place of birth.
    • False Match Rate when comparing pairs of images of people across the regions is typically lower than the global FMR. It can be up to 100 times lower, i.e., producing false matches between people of different ethnicities is much less likely.
    • False Non-Match Rate varies from nominal (global) stated up to 2 times lower to 2.5 times higher for most counties of origin, with some exceptions.

Operational Data

Demographics do not appear to have a discernible impact on the usability of the production operational system.

For example, authID is conducting an experiment in the Bahamas, where the majority of participants would be categorized by NIST as belonging to the Caribbean area. The project's outcomes are as follows:

  • 6% FTA rate, resolved by retrying to about 1% final FTA rate. Operational review of data reveals that it is always quality-related, i.e., environmental conditions, most often not enough / poor lighting or exposure.
  • Zero reported False Match Rate.
  • 0.0015 False Non-Match Rate.

Comparing NIST data and our operational data it is clear that demanding higher quality in real-life implementation (function of the image acquisition software) results in higher FTA, which can be resolved by retry – and a very low or zero FMR.

Are there figures providing the accuracy and reliability of authID?

Our platform consists of multiple ensembles of models integrated through several workflow steps within our product. These are deployed on both the front end to optimize live image capture in the backend processes to perform Presentation Attack Detection (PAD or liveness) to biometric matching.

We integrate proprietary and licensed models within our product that are trained on labeled image data including facial images. Our models are tested and benchmarked for both speed and accuracy on a variety of well-known publicly available benchmark datasets including the following:

  • NIST Special Database 32 - Multiple Encounter Dataset (MEDS-II).
  • University of Massachusetts Labeled Faces in the Wild (LFW).
  • CASIA NIR-VIS 2.0 Database.

What is being stored by authID about the personal data of prospects/customers? How long is this information stored on the authID side?

We store the Proof data (Document Verification Data) temporarily to ensure that our customer's integrating system has time to retrieve and save the data. We expose this data through our Identity Portal for Customer auditing and verification purposes. Valid credentials with the specific roles assigned are required to access the data. The data retention period is configurable, but typically 48 hours. All PII data is encrypted at rest and in flight before being automatically purged at the end of the retention period.

  • The Verified data (user biometric authentications).
  • The reference data is stored – at least template, or template and actual biometric data.
  • The user-provided data during biometric authentication can be stored for subsequent audit purposes.

What's the platform response time of authID's Proof and Verified products?

The authID platform is a fully automated process that can perform the end-to-end processing of a Proof transaction used for digital onboarding in around 90 seconds, on average. This time includes the web client capture of the ID (front and back) and the user's live selfie, the OCR and data extraction from the ID, the ISO 30107-3 PAD Level 2 compliant liveness check of the selfie, and biometric facial match between the cropped image from the ID and the live selfie.

This time assumes the client has the necessary documents available when they start the process. The Verified product is used to authenticate a person using cloud-based facial biometrics is also a fully automated process on average can be completed in less than one minute. This time includes the live selfie capture of the client, the ISO 30107-3 PAD Level 2 compliant liveness check of the selfie, and the facial biometric match of the live selfie against a stored biometric facial template.

What is an Owner in Biometric Search response?

The user biometric identifier in authID platform is always nested within with an account. The owner refers to the user account the biometric credential belongs to.

For more details refer to Biometric Search API response page.

How to Take a Good Picture of Passport / Driving License?

When it comes to, capturing a clear and usable picture of a passport or driving license, it is essential to ensure that the image quality is high enough for various purposes, such as identity verification, online applications, or document uploads. To achieve this, consider the following tips to guarantee that you obtain a high-quality and acceptable image:

  1. Ensure only your document ID is present in the picture. Nothing else.
  2. Use sufficient, natural lighting instead of a flash. It is best if the photo is taken during the daytime.
  3. Ensure the lens is not greasy. Ensure your cellphone camera lens is clean and free of smudges or debris, it can contribute to glare.
  4. Take the photo directly above the ID as soon as possible. Ensure your shadow does not cover your ID.
  5. Ensure all four edges of your ID are visible within the image.
  6. Ensure all information on the ID is clear & legible.
  7. Avoid taking photos of documents close to the cellphone. Also, do not change the distance from the document, move around, or shake the phone. These make it hard for the cellphone camera to focus properly.
  8. If the document is worn, aged, or physically damaged, the ability to process it is significantly hindered.
  9. Only current documents that are in date can be accepted for verification.

Guidelines to ensure you obtain a high-quality, acceptable image:

  • Good lighting: If the image is too dark or bright, the document might not be processed successfully.

  • Avoid reflections: We recommend avoiding using Flash on your mobile device when capturing document images.

  • Focus and sharpness: Ensure the image is in focus and there are no blurred areas.

  • Angle: The tilt angle of the document should not exceed 10 degrees in any direction (horizontal or vertical).

  • Margins (too small): Ensure minimal space around the document. It is recommended that the document takes up 70-80% of the image.

  • Margins (too big): Ensure the space around the document does not take up more than 20-30% of the image. It is recommended that the document takes up 70-80% of the image.

  • Contrast: The document must contrast to the background. A light-colored document on a light background and a dark-colored document on a dark background might not be recognized.

  • Resolution of the image: To achieve a good quality recognition of identification documents, we recommend providing captured images by a camera with a resolution of at least Full HD (1920×1080) and autofocus.

  • Extraneous objects: Ensure your hands or other objects do not cover document data.