More than half of IT professionals don’t use advanced solutions and processes for their authentication processes, according to Equifax. This can lead to greater instances of fraud, which, in turn, drives customers away. That’s why so many organizations are interested in digital identity verification technology, which helps them verify the digital identities of both new and existing users quickly using some combination of biometrics, machine learning and artificial intelligence. The identity verification market is growing quickly and is expected to reach $12.8 billion by 2024. We talked to Mathias Klenk, CEO and co-founder of Passbase, which builds identity verification tools.
ITPro Today: Why isn’t two-factor authentication good enough for verification purposes?
Klenk: Two-factor authentication is vulnerable to attack. Through brute force, phishing or third-party login processes, like the option to log in through Facebook, user accounts may fall prey to data breaches. When deploying authentication, businesses should avoid simple two-factor authentication methods like one-time passwords over SMS, voice calls or emails.
ITPro Today: What is your definition of acceptable digital identity verification for businesses?
Klenk: The goal for any business's digital identity verification process should be to protect data and prevent fraudulent activities. The ideal digital identity tool would leverage biometric technology like facial recognition and liveness detection [and] government-issued IDs, and ensure a friction-free process for the user. But to enable digital identity verification, businesses shouldn't focus only on streamlining the identity verification process; they need to enable identity ownership and reuse across different services.
ITPro Today: What role does compliance play in how companies manage identity verification today?
Klenk: Without an effective, robust identity verification process, organizations increase their exposure to KYC [know your customers] and anti-money laundering penalties. With data privacy laws like the GDPR [General Data Protection Regulation] and CCPA [California Consumer Privacy Act], companies need to ensure that the information they collect, which includes biometric and sensitive data, complies with the regulations. Companies will need to be transparent on the personal data collected, manage requests for deletion of data and ensure policies against reselling data are in place.
This highlights the need for organizations to rethink their identity verification process to one which gives users control over what data to share and who to share it with.
ITPro Today: How can organizations allow users to gain access to the services they need without exposing sensitive information or breaching compliance obligations?
Klenk: Organizations will need to use access control policies. They should protect people’s information by design and collect only the information they need, protected by the latest enhancements in biometric authentication, decentralized systems and anti-spoofing technologies.
The only true way of protecting personal data is by not sharing it. When we look at the future of security and consider ways to prevent identity theft and attacks, there needs to be a mix of biometric authentication and zero-knowledge proofs--where users own their own data but don’t share it.
ITPro Today: How can they do that while still being sure of the identity of the user accessing their platform?
Klenk: They can tap into identity verification processes that have privacy built in, those that comply with data privacy regulations like GDPR. Make sure the platform uses a combination of knowledge-based authentication, biometrics and liveness detection, all backed by government IDs.
ITPro Today: How do you define zero-knowledge authentication, and what’s needed to achieve it?
Klenk: Zero-knowledge authentication allows a user to prove that he/she knows a credential without having to share that credential. With this, there's no transfer or storage of passwords/user credentials. End-to-end encryption is one of the ways companies use zero-knowledge proof.
ITPro Today: What technologies can be useful in achieving zero-knowledge authentication?
Klenk: Organizations can tap into biometrics, a device owned by the user like a hardware key or by analyzing the device’s features/details.
ITPro Today: You offer ID verification as a service. When is that a useful approach for organizations, and when is it better if organizations manage it themselves?
Klenk: Outsourcing identity verification could help businesses gain access to some of the best technologies out there and easily integrate several components like identity checks and fraudulent accounts through software development kits [SDKs]. This adds significant value, since it can be a painful process to do digital identification online and integrate it. This can be especially useful to small businesses, which need to facilitate interactions with people but don’t have the bandwidth or the desire to hire and sustain a compliance division in-house or store gigabytes of sensitive data on their servers. The goal is to supply businesses with the technology they need, while making it cost-efficient and cheaper for them to access.
ITPro Today: What is the future of user authentication, in your opinion?
Klenk: Companies should move away from aggregating and collecting data about their users. The future of security must lie in a privacy-centric architecture where users can maintain the same ease of use--without friction--while having control over their data. This is crucial to fighting identity theft and privacy attacks.