Handset leaders add biometrics and NFC, dawning a new era in mobile as a credential
16 March, 2015
category: Biometrics, Corporate, Digital ID, Financial, Government, Library, NFC
Enabling mobile’s many authentication modalities
IdentityX, a Daon company, is looking to take advantage of the biometric scanners and other features of the Apple and Android devices so they can be used as identity tokens, says Conor White, president at IdentityX. “Our view is that none of the technologies are perfect or better than the other. They each work in different situations, but the best route is to marry them all into one platform and enable the consumer to choose,” he says.
The IdentityX platform enables authentication of the phone, a user’s face, a PIN and voice, White explains. A site that accepts IdentityX credentials can ping back to the consumer’s handset, authenticate the device and then ask them to read a random four-digit PIN while looking into a camera for facial recognition. “It validates the phone, the PIN, the face and the voice,” he says. Work is underway to integrate Apple’s Touch ID and Samsung’s fingerprint scanner into the platform.
Services would enable the consumer to choose which authentication modality they wanted and also have a risk-based analysis on the back end, White says. So if an individual is trying to access a service from an IP address that’s atypical, it might ask for more authentication factors than if the individual logs on from their normal machine.
The IdentityX app is stored in secure software on the handset and can work on iOS or Android. After the app is downloaded, users scan a QR code from their computer monitor and then enroll the various biometrics.
Already, banks are using the solution to enable employee access to secure networks and the American Association of Airport Executives and certain AARP members are also using it as part of a pilot for the National Strategy for Trusted Identities in Cyberspace, White explains.
When discussing IdentityX with financial institutions, White says they talk about enabling consumers to choose how they want to authenticate rather than mandating one method. “Banks want a higher level of security but a natural way to authenticate,” he explains. “They don’t want to tell consumers to do it a certain way for concern that they’ll switch banks.”
Verizon Enterprise Solutions has also rolled out a mobile authentication solution that uses the handset as a token, says Tracy Hulver, chief identity strategist for the company. He stresses that mobile ID must be consumer focused.
Using a second factor of authentication – be it a physical token or an app on a smart phone – adds a certain level of complexity to the log on process. Two-factor authentication can stop username and password breaches, but voluntary adoption is in the single digits because users aren’t willing to do anything extra to gain access to their data, Hulver says. “It has to be easier than user name and password, certainly not harder,” he says.
Verizon uses QR codes to make access easy. The user downloads the app on to their smart device, and when they visit a service on a laptop or compute, a QR code appears along with the typical username and password boxes. Instead of typing, the user opens the app on the handset, scans the code and is logged on to the site.
Depending on different variables – cookies, IP address, transaction type – the system might prompt for additional authentication. “Relying parties can determine how secure they want it to be,” Hulver says.
Verizon plans to add levels of assurance behind the identities by vetting user identities, Hulver says. Eventually the plan is to enroll everyone buying a Verizon phone into the Universal Identity System when they are at the store. Then consumers would be able to use that vetted identity with stronger assurance at sites that have deployed Universal Identity Systems.
For those without Verizon, relying parties that choose to use the system could use knowledge-based authentication to get some level of assurance about users. After being vetted by one relying party, that identity could be used at other sites that use Verizon’s system, Hulver explains.
Select enterprise clients are already using the system, and Verizon expects it to roll out in the business-to-consumer market early in 2015.
Securing the mobile future
Handset manufacturers and solution providers are doing their best to bring law and order the wild west of BYOD and BYOID. The number of options to use the mobile as an identity credential is growing with biometrics, NFC and Bluetooth just the tip of the iceberg. As these technologies become ubiquitous, authentication will become invisible to the end user enabling quick, easy and secure access.