Frequently Asked Questions
What is MFA?
Multi-Factor Authentication (MFA) is an authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism.
Multi-factor authentication can drastically reduce the incidence of online identity theft and other online fraud, because the victim's password is no longer enough to give a thief permanent access to your customer's information. However, many multi-factor authentication approaches remain vulnerable to phishing, man-in-the-browser, and man-in-the-middle attacks. MFA is especially susceptible to phishing attacks, particularly in SMS and e-mails.
Typically MFA uses 2 or more of the following "legacy" factors:
- Something the user has
- Something the user knows
- Somewhere the user is
- Something the user does
Verified addresses another factor that is inherent to the authentic identity of the user:
- Something the user is
A user's biometrics provide a level of certainty that is extremely difficult to falsify. A password may be compromised and sold on the dark web, knowledge-based questions may be mined from sources like social media, and devices may be lost or stolen. An individual's biometrics are far more unique than these other methods of authentication and are easily accessible under nearly any circumstances.
Multi-factor authentication is frequently used for scenarios where there is a need for additional verification due to an anomalous or high-risk event. Typical use case scenarios include:
|Account recovery||a user has forgotten login credentials or is logging in from an unknown device|
|Password Reset||a user has lost or forgotten their password, or the password has expired based on a security policy|
|Step-up Authentication||a user is attempting to perform high risk transaction or is exhibiting anomalous behavior, e.g., a large wire transfer or a purchase in a new geographic location where they have not previously done business|
|Application Access||access applications without a password|
|Building Access||gain access to buildings|
|Tourist Services||check-in for tourist services|
Each of these examples represents an event where there is a high likelihood of fraudulent activity or a high-risk activity that justifies a step up to an additional level of authentication.
What is Biometric Authentication?
Biometrics are unique physical characteristics, such as facial structure or fingerprints, that can be used for automated recognition. A biometric is a measurable biological (anatomical and physiological) and behavioral characteristic that can be used for automated recognition.
Biometric facial matching is a technology capable of identifying or verifying a subject through an image, video or any audiovisual element of their face against a representative biometric template. It uses measurements of the body, in this case face and head, to verify the identity of a person through its facial pattern and related measurements. The technology collects a set of unique biometric data of each person associated with their face and facial expression to identify, verify and/or authenticate a person.
Facial authentication solutions help ensure that only legitimate users are creating and accessing their online accounts — not some fraudster who has stolen the credentials or ID documents of identity theft victims off the dark web. Another key benefit of facial authentication is that businesses can leverage the same biometric data (i.e., a certified 3D face map) captured during enrollment and repurpose that same biometric for future authentication events. This means they can use the same solution for identity proofing and for ongoing user authentication.
What if a user is on a device that does not have a camera?
authID's web client service will automatically identify when the User's device does not have a camera. authID's service will present these users with a unique QR code (containing the specific Verified transaction information) and instruct the users to scan the QR code with any mobile device (with a camera). The Verified transaction will launch in the web browser of the User's mobile device where the User can take their selfie and complete their authentication. The status of the verified transaction on the mobile device will be monitored. Once completed the User can return to the original device to continue using your online platform/application.
How is Verified different from Apple FaceID?
Verified is a multi-factor cloud-based authentication service that verifies an account owner's identity using facial biometric matching in the cloud (something the user is) to allow consent to a transaction, e.g., recover/modify a forgotten password, and verify the identity of the account holder. Verified provides a biometric audit trail of all transactions that prove identities were duly verified. Verified authentication is portable to other devices, and the user is not restricted to using only a registered device to authenticate their identity.
Apple FaceID, however, is a device-based authentication which verifies that the registered device owner is present by matching the live image with the reference image stored in the device. Through this authentication the user is able to manage existing account passwords and other credentials on their registered device. With FaceID, if users change devices or forget a password, the user is still required to authenticate using insecure one-time passwords or answering secret questions (that have possibly been breached) or by costing you more when they speak with a customer service agent to recover account access.
FaceID authentication is restricted to that device and is not portable to other devices. Finally, FaceID does not stop device and account takeovers or SIM swaps that can still hurt your users and your enterprise. Someone else can register their face to a user's phone, use their face to login into your user's accounts—and your platform will never know. FaceID does not provide a biometric audit trail of which face was used to authenticate a user for a specific transaction.
How does authID protect against presentation attacks?
The authID platform provides two stages of presentation attack detection. The first stage utilizes active liveness in the form of a smile to initiate the capture of the selfie image. Once the selfie capture process is initiated the application will capture a series of frames to determine which frame has the optimal image quality for facial biometric matching and for processing through our second stage ISO 30107-3 Presentation Attack Detection (PAD) Level 2 compliant single frame passive liveness algorithm. This second stage PAD algorithm analyzes each pixel of the single frame to identify anomalies which would be present during spoofing attempts using a mask, picture, video playback, etc.
What is the difference between "Facial Recognition" and "Facial Matching"
authID provides solutions that leverage Facial Matching not Facial Recognition.
Facial Recognition uses a "One-to-Many" search, comparing a user photograph to a database of faces. It is used for Identification and is often performed without the cooperation or consent of the person(s). Facial Recognition is commonly used for law enforcement, identifying missing persons and location security for retail, casinos, and clubs etc.
Facial Matching as provided by authID performs a "One-to-One" match, comparing a person's selfie to a photo ID or stored facial biometric template the same person provided as proof of their identity. Facial Matching is used for Identity Verification and relies on unique biological characteristics to confirm that the identity of the person is who they claim to be. authID's service requires the user to provide consent to the identity verification process.
What is the impact of racial bias on Biometric Matching (or authID service)?
Independent study (NIST)
Data is taken from NIST FRVT test, for the Visa and Border dataset comparison.
- The failure to acquire rate does not depend on any demographic group, the technology requires sufficient lighting conditions and absence of certain artifacts in the image. According to NIST results the FTA is between 0.0001 for Visa dataset and 0.0002 for Border dataset.
- authID uses the same quality threshold to process images during enrollment and verification, therefore Failure to Enroll Rate (FTE) is the same as Failure to Acquire Rate (FTA)
- The system is configured with a threshold for a global False Match Rate (FMR) of 0.0001 and False Non Match Rate (FNMR) between 0.0013(Visa-Visa dataset) and 0.00654 (Border-Border) dataset.
- False Match Rate when comparing pairs of images of people from the same region (i.e., North Africa region, European Region, Middle East, etc.) can go up to 0.0005 depending on the region. Region is determined based on the declared place of birth.
- False Match Rate when comparing pairs of images of people across the regions is typically lower than the global FMR. It can be up to 100 times lower, i.e., producing false match between people of different ethnicity is much less likely.
- False Non-Match Rate varies from nominal (global) stated up to 2 times lower to 2.5 times higher for most counties of origin, with some exceptions.
In the production operational system demographics does not seem to have measurable effect on the system usability, authID is running a project in the Bahamas (where majority of participants would be classified by NIST as Caribbean region) with the following results:
- 6% FTA rate, resolved by retry to about 1% final FTA rate. Operational review of data reveals that it is always quality-related, i.e., environmental conditions, most often not enough / poor lighting or exposure.
- Zero reported False Match Rate
- 0.0015 False Non Match Rate
Comparing NIST data and our operational data it is clear that demanding higher quality in real-life implementation (function of the image acquisition software) results in higher FTA, which can be resolved by retry – and a very low or zero FMR.
Are there figures providing the accuracy and reliability of authID?
Our platform consists of multiple ensembles of models integrated through several workflow steps within our product. These are deployed on both the front end to optimize live image capture as well as backend processes to perform Presentation Attack Detection (PAD or liveness) as well as biometric matching.
We integrate proprietary and licensed models within our product that are trained on labeled image data including facial images. Our models are tested and benchmarked for both speed and accuracy on a variety of well-known publicly available benchmark datasets including the following:
- NIST Special Database 32 - Multiple Encounter Dataset (MEDS-II)
- University of Massachusetts Labeled Faces in the Wild (LFW)
- CASIA NIR-VIS 2.0 Database
What is being stored by authID with regards to the personal data of prospects/customers? How long is this information stored on authID side?
We store Proof data (Document Verification Data) temporarily to ensure that our customer's integrating system has time to retrieve and save the data. We expose this data through our Identity Portal for Customer's auditing and verification purposes. Valid credentials with specific role assigned are required to access the data. Data retention period is configurable, but typically 48 hours. All PII data is encrypted at rest and in flight prior to being automatically purged at the end of the retention period.
- The Verified data (user biometric authentications)
- The reference data is stored – at least template, or template and actual biometric data.
- The data provided by the user during biometric authentication can be stored for subsequent audit purposes.
What's the platform response time of authID's Proof and Verified products?
The authID platform is a fully automated process which can perform the end-to-end processing of a Proof transaction used for digital onboarding in around 90 seconds, on average. This time includes the web client capture of the ID (front and back) and the user's live selfie, the OCR and data extraction from the ID, the ISO 30107-3 PAD Level 2 compliant liveness check of the selfie, and biometric facial match between the cropped image from the ID and the live selfie.
This time assumes the client has their necessary documents available when they start the process. The Verified product which is used to authenticate a person using cloud based facial biometrics is also a fully automated process which on average can be completed in less than one minute. This time includes the live selfie capture of the client, the ISO 30107-3 PAD Level 2 compliant liveness check of the selfie, and the facial biometric match of the live selfie against a stored biometric facial template.