The Business Challenge
Multi-factor authentication (MFA) has risen in prominence as a way to authenticate customer identity for logins and payments.
This is particularly true for banks and financial institutions who for legal reasons need to perform identity proofing with their customers before opening new accounts.
Various business-to-consumer industries including higher education, telco, online gaming, government, travel, healthcare, utilities, real estate, legal services, and others also need to establish trusted and typically long term customer relationships. They also value multi-factor authentication with flexible levels of identity assurance to secure customer accounts and protect their customers from fraud.
Traditional MFA solutions rely on sms, push notifications and email not only present too much friction to the transaction, but come with well known security loopholes that lead to compromise. But consumers are also getting phished more often. They routinely get emails, sms messages, and phone calls trying to trick them into disclosing account credentials, personal information or downloading malware.
Biometric MFA delivers a more convenient, touchless user interface and provides fast and secure access without passwords. And, with a passwordless approach, the nuisance of phishing attacks, account compromise and those pesky sms codes become relics of the past.
The BlockID Advantage
FIDO2 and NIST 800-63-3 certifications provide the highest level of digital biometric identity and authentication assurance with superior interoperability
In an approach truly suited to the times, we use the Trusted Platform Module / Secure Enclave of a device (what you have) and a live biometric (what you are) to perform next generation multi-factor authentication. In terminology familiar for Strong Customer Authentication, the device becomes the “possession element” and the biometric the “inherence element”.
1Kosmos BlockID Customer works on the principle of public and private cryptographic keys in which the private key is stored on the user’s device (Secure Enclave) and cannot be accessed by anyone else, while the corresponding public key is stored on 1Kosmos Cloud infrastructure built on a distributed ledger. Instead of using a password to authenticate, an individual uses their identity and their own device.
Because our platform is FIDO2 and NIST 800-63-3 certified, it provides up to certified identity assurance level 2 (IAL2) and certified authentication assurance level 2 (AAL2) and offers a high degree of interoperability via API / SDK. This eliminates the need for 3rd party 2FA, one-time codes, and other authentication methods.
LiveID biometric matching provides “inherence element” and verifies the individual not just device-level access
To overcome facial spoofing through the use of a photo, video, mask, or a different substitute for the actual face of a legitimate person, we’ve developed “LiveID”, which is essentially a short selfie video. This is matched to the image on a scanned credential … the photo on a driver’s license or a passport, for example … to verify a likeness.
LiveID is a real biometric, not just the phone’s interpretation of someone’s face or finger. This means that any time LiveID is used, it is compared to the biometric captured during the enrollment process.
We call this a liveness test and it is performed to verify if the biometric traits of an individual are from a living person rather than an artificial or lifeless person.
After enrollment, a liveness test is performed each time a user needs access to online services. When the live test doesn’t match the test performed during the enrollment process, the authentication fails. The liveness is also used to verify compromised TouchID and FaceID forms of device biometrics.
One solution supports multiple authentication channels and methods
We provide multiple ways for users to authenticate:
- The 1Kosmos Mobile App: Our mobile app is available on Apple Store and Google Play and is typically downloaded when users scan a QR code sent to them via email or SMS message. Once installed, enrollment takes just a few minutes for the user to be ready for passwordless authentication.
- Whitelabel Mobile App: The 1Kosmos Mobile App is readily brandable! Organizations can display their logo and tailor the appearance to support their brand guidelines.
- Embedded via SDK into Existing App: We provide API / SDK integration to easily add our biometric authentication to existing mobile applications.
- App-less Authentication: Using only a FIDO2 enabled mobile device, our App-less Authentication requires no app download to perform biometric authentication. This is ideal for any organization that prefers a zero-code footprint on end-user devices.
- Lost / Stolen Device Recovery: We support the BIPS39 standard for recovery in the event a device gets lost, stolen or damaged. This entails the use of a mnemonic phrase consisting of 12 recovery words that are used to regenerate the Private-Public key pair.