Community

That 18 months should be focused putting teeth into requirements for performance verifications, particulary claims of liveness detection, the only technology that seems to provide a robust defence. Maybe it's time to mandate tested/certified liveness. If a vendor can't transparently meet this important security threshold, they should be forced back to the drawing board. On their own, most vendors will spend more time spinning their messages than innovating and fixing problems.

SCA itself is not necessarily complex. But, it is ill-informed. Because of that, slowing down the requirement is a good idea. There are two reasons for its lack of understanding. The first is governments are relying on vendors ("experts") to provide the foundation of understanding about how it works. Now, they may not have many other sources to edify them, but this is fundamentally flawed. Which brings up the second reason for the befuddlement: the vendors themselves. They are largely not equipped to deliver, so promote the way they do things today to fit into a model that requires something far more effective. For example, a two-step requirement is just as dangerous as a single step of either step - itself - is not secure. All it does is increase the attack surface, giving bad actors more choices.

The truth is, most systems that claim to support SCA are simply inadequate. And all the various messages the governing bodies hear from their consultants are conflicting, at best, because of it. Far more objective and informed oversight is an absolute must. As is a requirement that all vendors pass performance tests that transparently indicate whether they deliver on their security promises, or not. If these two things don't get fixed during this recess, nothing much will change - except that the reasons for SCA will become much more critical as the bad guys continuously hone their skills.

Face biometrics are not all the same, and what Jumio uses is not recognition, but authentication. The difference - and it is material - is the apps ability to determine if the person is not only the "correct" user, but is alive at the time of the log in request. This prevents bad actors from using non-human fakes, like photos, video, masks, etc. to create and/or log into an account. Liveness detection is THE requirement for this to work, and it is a game-changer.