The Business Challenge
The Second Payment Services Directive (PSD2) establishes a follow-on requirement for strong customer authentication (SCA) of eCommerce transactions.
Similarly the movement toward Open Banking creates a need for strong, multi-factor authentication of payments.
Both PSD2 and Open Banking need to balance convenience and security — both areas of focus for the Fast Identity Online (FIDO) Alliance.
The latest FIDO2 standard supports a convenient, friction-free approach to SCA while enabling interoperability across devices, merchants, and marketplaces. The use of biometrics as an “inherence” factor offers improved security over OTP / SMS as a “knowledge” factor. This avoids the vulnerabilities related to SIM swapping, which has already resulted in some banks and financial institutions banning their use. Biometrics also deliver a more convenient, touchless user experience and minimizes threats from phishing attacks that can lead to account compromise.
1Kosmos BlockID Customer offers banks, financial institutions, payment service providers and others a FIDO2 and NIST 800-63-3 certified platform. Our solution automatically delivers identity assurance level 2 (IAL2) identity proofing and authentication assurance level 2 (AAL2) user authentication. Our LiveID facial biometric defeats facial spoofing.
Combined, these capabilities deliver the highest level of security and interoperability available in a passwordless authentication solution that is both easy to implement and easy for users to adopt across multiple authentication channels. Most customers are up and running in days.
The BlockID Advantage
FIDO2 and NIST 800-63-3 certifications provide the highest level of digital biometric identity and authentication assurance with superior interoperability
In an approach truly suited to the times, we use the Trusted Platform Module / Secure Enclave of a device (what you have) and a live biometric (what you are) to perform next generation multi-factor authentication. In terminology familiar for Strong Customer Authentication, the device becomes the “possession element” and the biometric the “inherence element”.
The off line equivalent would be presenting yourself and a credential such as a driver’s license for identification. For the online word, the device simply stands in as the license, and the biometric as you.
Because our platform is FIDO2 and NIST 800-63-3 certified, it provides certified identity assurance level 2 (IAL2) and certified authentication assurance level 2 (AAL2) and offers a high degree of interoperability via API / SDK.
Our solutions integrate easily with just about any operating system or web application, enabling organizations to go passwordless with flexible levels of identity assurance and eliminate the need for 3rd party 2FA, one-time codes, and other external authentication systems / devices.
LiveID biometric matching defies spoofing and verifies the individual not just device-level access
To overcome facial spoofing through the use of a photo, video, mask, or a different substitute for the actual face of a legitimate person, we’ve developed “LiveID”, which is essentially a short selfie video. This is matched to the image on a scanned credential … the photo on a driver’s license or a passport, for example … to verify a likeness.
LiveID is a real biometric, not just the phone’s interpretation of someone’s face or finger. This means that any time LiveID is used, it is compared to the biometric captured during the enrollment process.
We call this a liveness test and it is performed to verify if the biometric traits of an individual are from a living person rather than an artificial or lifeless person.
After enrollment, a liveness test is performed each time a user needs access to online services. When the live test doesn’t match the test performed during the enrollment process, the authentication fails. The liveness is also used to verify compromised TouchID and FaceID forms of device biometrics.
One solution supports multiple authentication channels and methods
We provide multiple ways for users to authenticate:
- The 1Kosmos Mobile App: Our mobile app is available on Apple Store and Google Play and is typically downloaded when users scan a QR code sent to them via email or SMS message. Once installed, enrollment takes just a few minutes for the user to be ready for passwordless authentication.
- Whitelabel Mobile App: The 1Kosmos Mobile App is readily brandable! Organizations can display their logo and tailor the appearance to support their brand guidelines.
- Embedded via SDK into Existing App: We provide API / SDK integration to easily add our biometric authentication to existing mobile applications.
- App-less Authentication: Using only a FIDO2 enabled mobile device, our App-less Authentication requires no app download to perform biometric authentication. This is ideal for any organization that prefers a zero-code footprint on end-user devices.
Easy self service enrollment and verification quickly onboards customers with minimal overhead and errors
Customer enrollment starts by downloading a mobile application from Apple Store or Google Play. Our mobile app can be white labelled or embedded via API / SDK into an existing app. They enroll their biometrics and scan credentials. This process takes less than a minute to complete and does not require Customer Support services.
Identity verification is optional. When performed, the user scans their identity documents (e.g, Drivers License), we’ll read the front of the document and the “PDF417” barcode on the back, performing real-time ID card detection and classification. For passports we’ll read the “MRZ” data, perform UV, white light and ink-depth checks, and scan the embedded RFID chip.
Within minutes, we verify the validity of those credentials and the information they contain to W3C VC standards using artificial intelligence (AI) and leading third-party verification services, if necessary.
Our mobile app has built in zero-trust checks to verify the patch level, device security, jailbroken status, etc, to ensure device integrity, particularly in bring-your-own-device environments.
The result is a NIST 800-63-3 certified Identity assurance level 2 (IAL2) — and a FIDO2 certified biometric authentication credential. All of this takes a few minutes, but the benefits are substantial. Their information is stored safely to W3C DID standards, accessible only by them, sharable only with their permission.