by Blair Cohen, Founder & President of AuthenticID
Not only has digital transformation completely reshaped the way we conduct business, but it has also introduced an onslaught of fraudulent attacks on both organizations and consumers alike. In fact, more than half (53%) of consumers today have had their identity compromised at some point. As we continue down the path of digital transformation, cyberattacks will only increase in volume and complexity. As a result, identity-proofing will remain a critical piece of the fraud-prevention puzzle.
With the total cost of cybercrime expected to reach $8 trillion this year, there are several next-gen authentication methods business leaders should consider implementing to help protect both their company and their customers from harm.
The Value of Stateless and Biometric Authentication in Fighting Fraud
Stateless authentication – also known as token-based authentication – verifies users through tokens, most frequently a JSON Web Token (JWT), which are used for managing authorization. With this authentication method, information is stored within the token, allowing a user to access what they need without being required to provide their username or password.
Token-based authentication offers another layer of security beyond password and other single-factor authentication methods; giving only administrative users control over the actions needed for verification. As hackers have grown to realize, passwords are often repeated or slightly changed across accounts over time, making them easily accessible and, in some cases, putting multiple accounts at risk.
Adding token-based authentication is an important step in preventing fraud as it ensures that any user must not only correctly enter their password but also have access to an external account or device that will verify their identity through a uniquely-generated, cryptographically- signed token or code. While this is a smart route to bolster security, this approach can be further strengthened to enable passwordless access through the use of biometric authentication.
New technology has enabled fraudsters to reroute text messages and easily gain access to a persons’ sensitive information via an account takeover or by remotely accessing their IoT devices. Biometric authentication includes facial, fingerprint, iris, and voice biometric data that can be used to prove someone’s identity.
For example, a person’s face is instantly compared to and matched with a database of existing users to prevent one user from making multiple accounts. Today, behavioral biometric technology is being used to detect behaviors like keystrokes or touchscreen behavior to continuously authenticate a user, leading to even stronger authentication.
Unfortunately, today’s fraudsters have the benefit of new technologies like generative AI that make it much easier to spoof someone’s biometric information. To effectively deter fraud, organizations need to implement solutions with biometric algorithms that aren’t vulnerable to generative AI and injection attacks, in addition to moving away from KBA and SMS authentication methods, which are becoming easier and easier for bad actors to break through in our increasingly digital world.
Next-generation authentication like this provides a winning balance between security and convenience. Deploying future-forward biometric and/or stateless authentication methods will ensure that the person attempting to access an account or perform a transaction actually is who they say they are.
Identity Verification Driven by AI and Machine Learning
Current methods of identity fraud vary from creating fake IDs and passports to the use of more advanced, hard-to-spot deepfake technology. Even the technology available to cybercriminals is advanced enough to create replica ID cards that could fool the most experienced expert. A lot of solutions today only run around ten tests on an identity document, thus requiring manual review from humans, while top-of-the-line solutions using machine learning are able to run hundreds of tests, which decreases user friction while increasing verification accuracy.
Utilizing AI and ML is necessary for accurate and secure ID verification because people can’t learn all of the intricacies of identity documents. AI and ML offer a replacement for manual ID verification and can process data much faster than humans, resulting in the ability to quickly spot suspicious patterns, while also making sure visual aspects of the ID are in the right place. This would take much longer for a person to do manually. The technology-driven method is also scalable, which allows for substantial operational expense benefits.
Not only that, but AI and machine learning can also perform facial recognitions, block user actions, detect suspicious logins, and identify faulty transactions. Effective ID verification requires a combination of AI and ML, coupled with best-of-breed facial recognition and liveness detection technology to detect fake identity documents and deepfakes, ensuring authorization is only granted to the correct person.
Zero Trust Security Infrastructure
As we’ve seen, digital transformation can cause a whirlwind of security issues. Oftentimes, technology and software are released by organizations without a true look into security implications or potential vulnerabilities. Methods that used to be reliable, such as one-time passwords and QR codes, now fall vulnerable to fraudsters. As methods of fraud increase, a Zero Trust approach –- the belief to never trust, always verify – will be critical to keeping bad actors at bay.
A Zero Trust Security framework requires all users to verify their identity before gaining access to valuable information. Even after users are authenticated once, they will need to continue verifying their identity each time they attempt to regain access. Each user and device should be authenticated, meaning ultimate trust in a company’s identity proofing strategies will be key.
With a cyber attack happening every 39 seconds, organizations must take a holistic approach to security by combining a number of best practices and technologies in order to effectively fight fraud. As the fraud landscape continues to evolve, companies must stay one step ahead of bad actors. Proactively adapting new technologies as quickly as fraudsters come up with new schemes will be an invaluable line of defense.
This article was originally published in Cyber Defense magazine, August 2023.