Possession Is Nine-Tenths of the Flaw: Why Device-based Biometrics Don’t Cut It for IAM

Michael Cichon

With credential stuffing attacks on 23andM and Okta just the latest breaches to make headlines in recent weeks, the push for biometrics-based authentication is gaining momentum for Identity and Access Management (IAM).

The problem: Biometrics aren’t all created equal. Yes, device-based biometrics such as Touch ID, Face ID, and Windows Hello can help reduce the threat of password-based account takeover (ATO). But they can still leave IT guessing about the identity behind the device. While hardware tokens and Apple, Microsoft and Google’s decision to make passkeys the default for logins are also helpful, they really only confirm possession of a device or biometric and assume (but don’t validate) identity. Thankfully, it doesn’t have to be this way—if you have the right IAM architecture.

IAM More Than Just a Device: Enabling F-Word Free Authentication 

Whether it’s fingerprints or facial recognition, that which is stored can be stolen or spoofed by cybercriminals to infiltrate corporate systems. Hell, even without a hack, traditional forms of biometric authentication only confirm the person accessing an account is the same person who initially enrolled to do so—but not whether that person is really who they claim to be. This matters when enrollment fraud leads to more than $3.2 billion in losses annually. For me, “fraud” is an f-word that typically leads to others we could all do without. That’s where 1Kosmos comes in.  

Identity-Backed Biometrics & Modern IAM Architectures

At 1Kosmos, we saw the urgency of finding a way to easily and accurately verify and authenticate identity in a way that can’t be vouched for by mere password, one-time passcode, or a static (and spoofable) biometric. That’s why we set out to modernize IAM by combining strong identity verification and authentication within a unified architecture. One that offers unrivaled identity assurance behind each device used to access online services, along with a seamless account enrollment and authentication experience. In Part One of this series, we provided an overview of this architecture and the pillars it’s built upon. In this post, let’s double-click on a core pillar: biometric-based user authentication.

The 1Kosmos architecture employs automated, digitally verified identity to confirm user claims and credentials with 99.6% accuracy, stores them under user control, and binds them to an identity wallet and biometric with liveness detection. This gives IT the security and control they need while providing users with a seamless login experience. The benefits are threefold: < High Assurance

Biometrics verified through liveness testing deliver the highest digital identity assurance possible and enable fast, frictionless multi-factor authentication. When matched to a verified identity, they eliminate fraudulent identities hiding behind valid credentials.

User Convenience

Physical attributes used for biometric authentication are not vulnerable to damage and unexpected alterations. They provide quick, user-friendly authentication with or without passwords.

Flexible Use Cases

Whether the use case demands a fingerprint, voice match, a live biometric or other identifier, the 1Kosmos architecture provides affordable authenticators that adjust to varied and evolving business needs.

Building Bulletproof Biometric Authentication

We didn’t just follow the most effective approach to identity-backed biometric authentication. We defined it. 1Kosmos offers the only IAM architecture built with four crucial elements of identity-backed biometric authentication:  

Certification to FIDO2, NIST 800-63-3 and UKDIATF Standards

Our BlockID platform is certified to FIDO, NIST and UKDIATF standards, having undergone rigorous testing to verify quality coding and ensure the use of common devices to authenticate users. When combined with a verified identity, you’re talking about unmatched security and convenience. BlockID supports USB keys, keycard authentication, fingerprint readers, and hardware tokens and provides a robust framework to implement or augment passwordless authentication without being forced into using a single provider. With identity-backed biometrics, you also benefit from stronger security using physical traits. Think fingerprint scan with a USB security key or FIDO-compliant facial recognition, for instance.

iBeta Certified Biometrics

As mentioned earlier, biometrics can improve security by replacing or augmenting the use of passwords, but they can also be subject to theft or spoofing. iBeta is an independent, NIST-accredited biometrics testing lab that has developed certification programs to verify biometric applications to recognized standards to prevent these things from happening. When enrolling with our BlockID solution, the user can perform an advanced form of biometrics called a liveness test that prevents false facial verification using a photo, video, mask, or other substitute for an authorized user’s face. 

Biometric Encryption

Biometric encryption leverages a biometric template and public-private key pair to encrypt and decrypt personally identifiable information for authenticating a user and sharing data with an online service. This approach relies on the uniqueness of biometrics to ensure that hackers can’t reverse-engineer a password or key. Without the biometric and matching private key, all data in the digital wallet isn’t accessible, usable, or even legible. There’s no central storage of user biometrics, ensuring these biometrics remain private. Biometric authentication is easy to use and requires little, if any, user training.  

Flexible Levels of Identity Assurance

With BlockID, you determine the type of biometric appropriate for a given application and the level of identity assurance appropriate to the business risk. For Know Your Customer (KYC) and Know Your Business (KYB) standards, Identity Assurance Level 2 can be achieved using LiveID and identity verification using government-issued credentials, such as a driver’s license or passport. A liveness test confirms a user’s facial match to the enrolled biometric and verified documents in real-time. 

Lesser forms of identity assurance can be achieved using information from banking, telco, or corporate databases or through “inferred” identity based on access to an email address or logged-in device, as appropriate for the intended use. For additional use cases, 1Kosmos can also verify a user’s social security number (SSN) against the SSA, a driver’s license against the American Association of Vehicle Administrators (AAMVA), a passport against ICAO or the US Department of State, or verify a user is indeed a physician by validating their NPIN (National Physician Information Number).

As documentation and accounts are enrolled, the location and phone number are verified against the issuing authority. The user’s LiveID scan is then validated against the picture extracted from the documentation. Once complete, their biometrics are captured, and the data is encrypted with the user’s private key and stored within a private and permissioned blockchain.

An Unbeatable Advantage 

In Part Three, we’ll drill down on another core pillar of the 1Kosmos architecture: decentralized digital identity and how it provides users with secure anytime, anywhere access to ID cards, driver licenses, social security details, and more through a reusable identity wallet.  

Learn how 1Kosmos can help your organization modernize Identity and Access Management—visit our Architectural Advantage page and schedule a demo today.

A Customer First Approach to Identity Based Authentication
Read More

Expert Insights in Your Inbox

Subscribe to the blog
Meet the Author

Michael Cichon

CMO of 1Kosmos

Michael is a Silicon Valley veteran with over two decades of experience marketing B2B SaaS solutions for startups and publicly traded companies. Prior to joining 1Kosmos, Michael held VP of Digital and Content Marketing roles at both Agari and ThreatMetrix.