Community

None of this works without binding a human to an account. And that CANNOT be done without determining if the person who is holding the credential or access device (phone, card, hardware key, etc.) is determined to both present at the time and - wait for it - alive. Liveness checks verify first if there is a real human asking for access, and then can make a match determination to make sure it is the legitimate human. Effective biometrics with liveness and matching ACTUALLY exist and have been successfully in operation for many years across the globe. 

Major note: Digital access is already pervasive and will only continue to gain users on every continent. As the value of access climbs, digital identity needs to be treated as THE critical component of access management, whether physical or virtual. If you cannot have an exceptionally high confidence that the person requesting access is not the legitimate account holder, the rest of what happens in a login process is still wide open to fraud, regardless of the cryptographic defenses in place. The wrong person can easily be operating a phone that will check out as legit. It happens all the time, and is responsible for nearly 85% of all ID problems.

This subject needs to be elevated to the top of the agenda and considered critical to the finance/banking biz, or these problems will not only persist, they will continue to grow - as they have for the past 10-plus years. Just check the latest reports from, for example, the Identity Theft Resource Center (ITRC - https://www.idtheftcenter.org/). The extent of this problem is much more troubling than you might think.

@Hamish Monk, you are welcome to contact me for a cold-shower report on the state of things in digital ID.

That 18 months should be focused putting teeth into requirements for performance verifications, particulary claims of liveness detection, the only technology that seems to provide a robust defence. Maybe it's time to mandate tested/certified liveness. If a vendor can't transparently meet this important security threshold, they should be forced back to the drawing board. On their own, most vendors will spend more time spinning their messages than innovating and fixing problems.

SCA itself is not necessarily complex. But, it is ill-informed. Because of that, slowing down the requirement is a good idea. There are two reasons for its lack of understanding. The first is governments are relying on vendors ("experts") to provide the foundation of understanding about how it works. Now, they may not have many other sources to edify them, but this is fundamentally flawed. Which brings up the second reason for the befuddlement: the vendors themselves. They are largely not equipped to deliver, so promote the way they do things today to fit into a model that requires something far more effective. For example, a two-step requirement is just as dangerous as a single step of either step - itself - is not secure. All it does is increase the attack surface, giving bad actors more choices.

The truth is, most systems that claim to support SCA are simply inadequate. And all the various messages the governing bodies hear from their consultants are conflicting, at best, because of it. Far more objective and informed oversight is an absolute must. As is a requirement that all vendors pass performance tests that transparently indicate whether they deliver on their security promises, or not. If these two things don't get fixed during this recess, nothing much will change - except that the reasons for SCA will become much more critical as the bad guys continuously hone their skills.

Face biometrics are not all the same, and what Jumio uses is not recognition, but authentication. The difference - and it is material - is the apps ability to determine if the person is not only the "correct" user, but is alive at the time of the log in request. This prevents bad actors from using non-human fakes, like photos, video, masks, etc. to create and/or log into an account. Liveness detection is THE requirement for this to work, and it is a game-changer.