Security by Combination

Multimodal Biometric Detection

Authentication via username and password is vulnerable. If digital transformation is to be successful, new and, above all, secure methods are needed to protect the digital identity. The solution? Combine different authentication methods.

The more areas of life that get touched by digital transformation, the more often the physical ego gets replaced by a digital identity. In the past, it was necessary to go to the bank for a money transfer. Today, this is easily achieved by online banking – independent of location and time. Despite rapid advancements in technology, security remains a challenge and seems to be constantly playing catch up.

 

The conventional combination of username and password is vulnerable: Simple passwords with a long life increases the likelihood of having already been spied out. Complex passwords that often need to be changed overtax the user. According to a study by the Ponemon Institute, presently, every third user asks for a forgotten password once a month.

 

If the digital transformation – and with it, the Internet of Things (IoT) – is to become a success, we need new methods that protect the digital identity while maintaining its usability.

 

Qualities of the virtual butler

How do you design a system that ideally combines the aspects of security with user friendliness? To replace one kind of authentication, such as username and password, with another is not the answer. Neither iris or vein scan, nor voice recognition, nor any other method alone will solve the problem. Rather, a sophisticated system has to verify the identity of the user. This system is the basis for a combination of different authentication methods.

 

To do this, specialized partners need to work together to combine best-of-breed authentication components to form a reliable assistant. The assistant knows the person, its preferences and habits and those of its employer. This digital butler, as offered, for example, by the partner ecosystem of NEVIS, needs to have a number of characteristics:

  • Ability to learn: At the beginning of its service, the butler needs to get to know the user in all relevant dimensions. The user's personal and contact data, equipment, services and service platforms he or she uses, but also the necessary biometric data such as physiognomy and typing pattern, voice, vein or iris pattern. Furthermore, the system cannot freeze on the level it once learned. The digital butler needs to update its recognition pattern regularly.
  • Adaptability and intelligence: Not every occasion requires the same degree of security. The digital butler should choose the "level of assurance", i.e., the required level of authentication, accordingly. The butler should be equally adaptive in case of deviations from the stored authentication patterns. If the voice recognition fails because of a cold, this is no reason for an alarm. But if someone tries to log on with an unknown terminal at an unusual time at a distant place, the failure of the voice recognition is a very good reason to ask for further evidence of identity.
  • Vigilance and fast reaction: The more features differ from the known patterns during an attempted authentication, the more suspicious the digital butler becomes, and the more stringent the criteria it should apply. If the "risk score" reaches a certain level, the system should check immediately whether a fraud attempt is behind the observed irregularity and prevent access, given the case.
  • Convenient use: Cumbersome safety measures induce the user to avoid them. Many biometric methods such as facial recognition or analysis of typing behavior require very little active human involvement and are therefore suitable for everyday authentication.
  • Reliable data protection and transparency: Because the digital identity is so important, the user must know whether and when it is applied and to what purpose. Similarly, the data used for authentication must be secure and its access must be clearly regulated and transparent.

This combination of context-based, multimodal authentication, the intelligent detection of deviations and the reaction to it is offered by platforms such as the NEVIS Security Suite by the Swiss software company AdNovum. In Switzerland NEVIS already protects 80 percent of all online banking transactions. The security suite combines best-of-breed expertise by technology partners such as BioID or BehavioSec. The partners are specialists in their respective biometric disciplines:

 

The facial recognition solution by the company BioID uses the smartphone's camera to secure banking transactions. This extra effort for the user is barely higher than entering a TAN, and it renders the user clearly identifiable in a very natural way. The patented life detection additionally protects against manipulations with photos or videos. It is important that not a complete picture of the user is stored for his or her authentication, but rather a "template". This is an adjusted and reduced data representation of biometric features. This operation is not reversible. You cannot calculate an image of the person from the template.

 

Combined facial and voice recognition.
Zoom
Combined facial and voice recognition.

Behavior renders a person clearly identifiable, and can be used as an additional security level. Depending on which device is used, the technology of BehavioSec records and analyzes the dynamics of keyboard input, mouse movements, touch gestures, or the way a smartphone is held. These behaviors are unique to the user. Without additional effort, the solution is transparent to the user and significantly increases security: Username and password do not just work as usual as a simple protection mechanism. The manner how the authorized owner enters them ensures its identity.

 

Analysis of the typing behavior based on values such as stroke pressure and speed.
Zoom
Analysis of the typing behavior based on values such as stroke pressure and speed.

The digital butler as companion and guarantor of our digital identity is set to play a major role. It relies - unlike conventional systems with rigid mechanisms - on authentication with intelligent, context-informed methods.