Mobile Identity Authentication
Many potential business-cases point to the desire to have an identity authentication solution available as a mobile application on a smart phone or tablet. In some cases, it simply isn’t feasible to have a stationary device, tethered to a PC, available at the location where authentications must occur. In other cases, it may be desirous to have a client that is not in your physical store or branch location conduct an identity authentication wherever they are – which might be in their home, at a hotel, or even walking on the street.
Mobile IDentity Document authentication is a challenging task. In the United States, alone, there are more than 1,200 different valid types of identity document. The task of recognizing and authenticating such a large variety of documents requires significant knowledge about the documents themselves and what to look for.
Authentication with a mobile device must rely on images captured by the cameras that most iOS and Android phones now include that are of sufficient quality and clarity to allow for deep-pattern-matching. This process – deep pattern matching – compares ID images to a comprehensive identity document library with detailed information about the design of each different type of ID. FraudFighter is partnered with the leading document library companies in the world in developing its mobile authentication solution, MobilVerify.
Mobile Authentication Case Study: State of Alabama leads the way in Tax Fraud Prevention with eID Initiative
In May 2016, an important announcement involving online identity authentication was made. The state of Alabama announced that they were implementing a system (eID) that would allow tax-filers to self-authenticate their driver license using their mobile device. The solution then allows the person to authenticate that they are the same person as pictured on the Identity Document by using the smart device to capture a selfie-image which is authenticated against their driver license photo.
The eID initiative will allow taxpayers to opt-in to a program that adds a new layer of security regarding tax return processing. eID leverages the highly trusted and secure driver’s license and ID card database managed by the Alabama Law Enforcement Agency to ensure that individuals are who they claim to be. Alabama taxpayers will be able to confidently place a “lock” on their tax ID within the Alabama Department of Revenue to be sure that tax returns are not processed in their name without their authorization. The eID is empowering participants to use their verified identities (including selfies) as a way to protect their personal transactions. The “selfie” provided by the individual filing a return can be compared to the photo on file in the DL/ID database and is used as part of the layered security process. This allows fraudulent filings to be intercepted before the individual and state are the victims of tax refund fraud.
“Tax refund fraud is a core issue for not only Alabama but all states, and we are dedicated to protecting our citizens,” said Alabama Revenue Commissioner Julie P. Magee. “This innovative initiative will allow all taxpayers to put the control in their own hands – and it specifically gives a way for those who have already had issues with identity theft to attain a level of comfort and protection that they did not have in the past.”
Make Sure the Customer is “Known” Before Allowing Transaction to Complete
The two-factor process of authenticating the individual during online transactions adopted by Alabama is a ground-breaking new paradigm. A paradigm that can be implemented in online and mobile transaction environments across many industry sectors.
With mobile phone penetration nearing 70% of the U.S. adult population (a Pew Foundation poll in 2015 determined the number to be 68%) it is highly probable that an individual conducting a transaction in your online environment will have such a device available. There is a strong correlation between individuals that conduct transactions online (such as making purchases and performing banking tasks) and those that own smart phones. Of course, customers conducting mobile transactions by definition must have a mobile device.
The two-factor mobile authentication process can be used in a couple of different ways:
- Option one would be to always require two step authentication (e.g. ID document authentication and facial matching). An example of this would be for eCommerce stores that allow guest checkouts. In this scenario, the customer would proceed through product selection and checkout as normal. At the point where a credit card has been entered, the shopping cart will generate an SMS (text message) to the customer’s cell phone. The text contains a link that will open a web-based ID authentication application. The customer will follow the instructions to authenticate their license and to capture a selfie “facial” image. The ID authentication application will authenticate the ID document, and also ensure that the person using the ID matches the picture on the ID. After the customer authenticates their ID document, the authentication application will generate a token back to the shopping cart (or online banking, or request for credit, etc.) and give clearance for the transaction to continue.
- A second option would be applicable to environments where repeat authentications may be required. An ideal use-case would be online account access, such as accessing a bank account, or a cellular phone account. Under this scenario, the first-time the customer transacts with the online account environment the same identity authentication process described in option one would be followed. During this process, the client can accept being enrolled in a “biometric authentication program”, which would allow future log-ins to the account to be allowed via capturing a facial selfie image. Alternatively, if clients are hesitant or worried about taking selfie images, it is possible to achieve the same result with a voice-pattern match by recording a password phrase. As before, when attempting to access a secured area, the application (online banking, mobile shopping cart, etc) will send an SMS to the user, who then authenticates themselves with a facial image or voice print match.
Frequently Asked Questions
How are ID documents authenticated?
MobilVerify reads the barcode, and then compares the data to the Enhanced Security Feature (ESF) data. Note that not all ID documents have barcodes and/or an ESF. In this case, the front of the license is imaged and a deep pattern match is conducted that is similar to that conducted with the point-of-sale scanner, with the exception that only white-light (visible) images are used for authentication.
What happens to the personal data?
As a leader in fraud prevention, we take the safety and security of personal identity data very seriously. We have observed the steady increase in the instances of mass data hacking, and have researched and reported frequently about the sophistication of the criminal marketplaces that have arisen to capitalize financially on the stolen data. For this reason, we are committed to absolute security on any data that is managed by our systems.
Every process we design which in any way touches personally identifying data is built with data security in mind. Several overriding principles guide us in this approach:
- Only capture and process necessary data. Prior to communicating any personal data, we ask “what is the minimum data necessary to achieve the stated goal”. We then design our integration processes to only synchronize the data that is necessary.
- Move the data the fewest possible number of times. Some of the add-on processes required to achieve the expanded benefit of authenticating an individual will require that data be moved between different applications. In designing custom configurations for clients, the fundamental design will be driven by the goal of minimizing the number of times this is required.
- Utilize industry best-practice security standards. Security vulnerability testing is conducted constantly. Our membership in Cloud Security industry groups allows us to keep an as-current-as-possible awareness of new information, vulnerability and hacking incidents occurring in the industry and new developments in the virtual and cloud application marketplace.
What if we don’t want employees using their own smart phones?
Many organizations are quite comfortable with the “bring your own device” mentality; however, we realize that this may not be appropriate for your organization, or for the specific purpose in mind in this instance – e.g. capturing images and data from ID documents.
For this reason, FraudFighter is able to provide dedicated mobile devices to clients with Mobilverify application pre-installed at very reasonable prices.