Welcome to our KuppingerCole Analysts webinar, Identity Assurance Using Biometrics. This webinar is supported by iProov and the speakers today are Joe Palmer, who is Chief Product and Innovation Officer at iProov, and me, Martin Kuppinger. I'm Principal Analyst at KuppingerCole Analysts. As common for our webinars, we'll start with a very quick housekeeping and a first poll, have a look at the agenda, and then directly dive into the subject of today's webinar.
So, for housekeeping, you are muted centrally, so we are controlling these features, nothing to do from your end. We will run two polls during the webinar, and if time allows, we will discuss the results during Q&A. We have a Q&A session during the end of the webinar, and you can use the features of the tool we are using, so in the right-hand side of the app or website, you'll find the Q&A session. Last but not least, we are recording the webinar, and we will make the recording and the presentation available for download in the coming days.
So, before we start, let's quickly start with a first poll here, and that poll is about, does your organization offer sort of modern authentication, let's call it broadly, so passwordless multi-factor authentication, risk-based authentication to your consumers? So, do you have something in place already for your consumers where you say, okay, our target is to offer them a modern, ideally also convenient way of authentication that is, on the other hand, very secure? Yes or no? Looking forward to your responses.
We leave that all open for some 30 seconds or so, and as usual, the more participate in the poll, the more relevant and interesting the results will be. Okay, I think we then can close the poll, and look at the agenda.
So, the agenda for today's webinar, as for most of our webinars, is split into three parts. The first part, I will talk about drivers for identity verification and proofing, and what is around that, because I think this is really something which is very important to understand nowadays, and then Joe will talk about the role of biometrics and liveness detection, and go in more detail into practical examples before we then do our Q&A. I will take a bit less than 20 minutes, and then Joe has another presentation, and then, as I said, we run the Q&A.
So, verification is something which always has been important, but in an age where we work primarily online, even in business, we rarely have touch points. Sometimes with the organization, a lot of us come to the office only every now and then. There might be even people in the organization that never have been physically in an office of the organization.
So, verification is a very important thing, because identities, and that's the other side of it, they are the forefront of cyber security. When you look at all the readings you will find around cyber attacks, then it becomes apparent, or it becomes very obvious that most of the attacks are in some way related to identities by phishing for credentials, etc.
So, identities are a starting point, and also account takeover, or what is very common these days, business email compromise, where someone tries to appear as someone else, all these things have an identity. So, we need verified identities. They are essential to cyber security and fraud detection, and fraud detection commonly builds on identity-proving and behavioral analysis, and there are a couple of technologies around that, partially overlapping.
So, there's the identity-proving stuff that is really about saying, could this be Martin, maybe comparing with the EID card, via video, etc. So, video identity stuff, etc. Also includes things like, is Martin alive?
So, life has detection, which is relatively easy to do in video identity, which becomes way more complex in recurring access and other methods. The behavior, is this the normal behavior of Martin or is it different? Including biometrics, which can be more active, looking at biometrics, passive biometrics. Also understanding, surely, is there something impersonating Martin? Is there a bot, which is not really a person, but which tries to act as a person? Understanding the why's, and also understanding how valid credentials are.
So, are these, so to speak, good enough, trustworthy enough credentials? We need to act on that front, because as of that, at the end, attacks build on, or attack, target identities and the credentials, they try to come in that way. And this is where we need to start our protection. And I think it also can be looked at from a different perspective.
So, when we look at how an access runs, it starts with me, the identity, using a device, then going over a network, being authenticated, being authorized. But at the very beginning, it is me authenticating, me being the one who comes in.
So, that also needs to be done fast. Specifically, when we look at consumer use cases, but also for employees, people don't want to wait.
So, we need to do this at speed. We need to do this at speed, specifically when we look at the digital business, to succeed in the digital business. It must just hinder us in onboarding users and recurring authentication, because that is where acceptance goes down. And maybe right now, look a bit at the more the consumer side of use cases. When things become inconvenient, I think every one of us has a tendency to drop off during onboarding.
I have to admit, I regularly, when, for instance, trying to purchase some goods online, I regularly stop and go to somewhere else when onboarding becomes cumbersome. Or when I have been there, and there's a general rate of recurring users, and the thing only offers username and password, it asks me again for the password. I don't have it in hand. I need to reset it.
The mail, which should be sent to me, doesn't arrive on time. The things get lost again, maybe sometimes even.
So, I've put some goods into the shopping cart. And worst case experience, the shopping cart is empty until I manage to reset my password. And that is where I won't come back. It's the churn rates. But it's also about process optimization.
So, every minute your employees are waiting costs you time. And if they have to wait a couple of times for small, even very small periods, it counts up, it sums up. And the overall user acceptance goes down. And I think many of you may have experienced this stuff. When things go wrong with authentication, this is where people immediately react.
So, this is what they feel, what they experience, and what makes the phone or the help desk ring. And depending on what doesn't work and who is trying to authenticate, it may make the phone of the CIO ring. And I think we can put this into a bit of a bigger context.
So, in the digital age, it's really organizations rely on the digital services. The business is built on that. Digital services are baked to everything. They are the business. They are the way we deliver to customers.
So, we need this smooth journey. And this is very much about identity and security.
And this, again, goes into onboarding and recurring authentication. And here's where convenience and security come together. It must be both. Because otherwise, the digital service is at risk. And we can't put it at risk because this is the core of our modern business.
So, we need to get a grip on that. And a very important element in that is really that we apply advanced biometrics, which also includes liveness detection, to ensure that it's really someone who is sitting in front of the system, etc. All these things come together to make this work.
So, because the digital services make us differentiate, we need to deliver them in a reliable way. We need to be able to update them. But we need, and this is on the right-hand side, we need security or attack resilience and a smooth customer journey. Only then we will deliver the digital experience that makes our business succeed.
This is, at the end, part of a competitive differentiation, but maybe more to the bad. So, if everyone is perfect, fine. But the ones who are not good yet, they struggle.
So, it did, in a negative sense, differentiates them from their peers. All this must also be accurate. We all have heard about false positive rates, and we need to minimize false positives because they are the negative thing, the lower user experience. We also need to minimize false negatives. And this is a very difficult, very tricky balance.
So, to ensure that everyone who's bad is left out, but all who are good, so to speak, can pass. We will never be perfect on that, but we need to come close to perfection. Only then we have an efficient risk reduction. Only then we have the user acceptance. And we then reduce fraud at a good performance. And I think also every one of us is aware of these scenarios where you ask something in addition. That is fine, that is fair, but it's adequate.
When you do the third credit card transaction with the same device within 20 minutes, and you're asked three times, the question is going over the top or being the right measure. So, we need to do it very good, and at least, as I've said, we need to be good in the balance between false positive, false negative. And that applies to everyone. I think this is also very important to understand. It's every industry.
So, when we look at the market, then the banks, the finance industry, they have been the ones who started first. But digital business is ubiquitous. We need it everywhere, in retail, in gaming. Gaming is a huge industry, in insurance, for telcos, for healthcare, travel and hospitality, government, to citizen, everywhere. We need to do it in an efficient manner. And we also need to understand that every industry is a target of fraud. It's not just the payment industry anymore. Government, healthcare, retail, they are targets of fraud.
We need to protect our digital services with adequate measures, and that starts with the identity. And we must not underestimate the risk, and this is one of these typical risk metrics. The point I really want to look at is, yes, there's the fraud in the high volume financial transactions, and there might be a few incidents sometimes that are really targeted at this huge fraud scenarios. But we also have these small things, and if you have many, many small ones, retail, potentially lower impact, but high frequency.
So, at the end, you're still at the right hand side in the right area. It's relevant for every business, and we must deploy these technologies across all businesses nowadays, not just in the areas where we have it anyway for a while, like in the finance industry. And we need to do it in a way that is about zero friction. It must be seamless.
At least, it must be so that the user feels that the benefit for the users, for him or her, is higher than the impact. This is about acceptance, and the seamless thing is, I think, something which is very important. And one thing I'd like to highlight here, and we can do a lot of things in modern authentication behavior analyzers that are really convenient and secure. And one of the sentences I feel is fundamentally wrong is, we need to balance convenience and security.
No, you don't need to balance it. You need to combine it, because balancing means security goes up and convenience goes down, or convenience goes up and security goes down. Neither of that is good. It's good if we can manage to have both at a high level. This is what we need to do in our thinking.
So, the sentence, balancing convenience and security, is just wrong. It's about the combination of both. And we have technology that helps you in doing so today. And all this must be reliable. That means we need to factor in many indicators about the device, about the user behavior, about biometrics, things like liveness detection, like how the people are using their devices, what they are doing, which types of transactions they are doing, et cetera. And then we need to come up with the risk factor to make our decision. And this must be something we do permanently, always, so to speak.
Authentication must work always. It must work seamless. It must not disrupt business processes. There must not be bypasses to weaker methods.
So, we need to bake this into everything we are doing. And I think this is going a bit in a more inside topic, but I want to bring up the survey results we had a while ago, we did earlier this year.
So, data gathered by clinical analysts. And I think when we look at this, then it becomes very clear that the type of how do we access, how do we, or the area where people think it's most relevant to look at, where we deal with identities is consumer identities. This is really where people expect we have a better experience, good to use, secure identities, but it's also that workforce and partner are becoming more important.
And what I predict is that we will see a very significant uptake of the entire identity verification space when we do more in this decentralized identity world, where we see EIDAS regulation, where we see the EUID wallet and all the other things emerging. So, we need to be aware this is a topic which will become even more relevant. We must be ready for that.
So, before I hand over to Joe, a quick second poll. And this is really more about the entire area of behavioral biometrics.
So, what is your number one concern regarding the use of behavioral biometrics? So, is it the fear of performance downgrade and authentication making everything slower? Are the workers' council, I'm from Germany, so I'm familiar with workers' councils. Is it this false positive versus false negatives? Or do you say, I don't care. I'm used to it. I do it every day.
So, I give you 30 seconds. Looking forward to your responses. Thank you. And then with that, I hand over to Joe Palmer, who right now will talk about the role of biometrics and liveness detection. Right.
So, I'm going to talk to you about the spectrum of identity assurance, which is how we see and measure the world from our perspective. So, let's just look at the challenges and drivers when it comes to identity verification and authentication. Organizations today are going through digital transformation programs.
So, identity, as Martin said, is a key aspect that should be considered very much as part of this. And it gives you an opportunity to be first, to beat your competitors when you come to producing a digital solution. Users are demanding it. Ever since the pandemic, there's been an explosion in online services that replicate the versions that were in the physical world.
And so, responding to this demand is a key requirement. And there are government digital identity initiatives as well.
So, the EU wallet that's being developed for the nation states in Europe is a good example. The mobile driving license in the US. The governments are driving a lot of these being that they are the custodians of our identity in the US. But of course, this brings challenges. How do we create a mechanism of trust? How do I know that this digital identity can be trusted? And how much can it be trusted? We have to drive adoption. This needs to benefit the user and be easy to set up.
Otherwise, it won't take off and it will be abandoned. The user experience has to be good. It has to be easier than the alternative and effortless.
So, it is adopted by the users. And of course, it needs to drive operational efficiency. We can't have digital solutions producing harder to manage back-end office activities, for example. And of course, there are multiple levels of security. Not all processes are equal.
And so, how do we assess the level of assurance that is appropriate for each transaction? So, let's look at the factors. These are the three types of factors that we know and love today as we authenticate. This is when you think of two-factor or multi-factor authentication. These are two independent factors. Strong customer authentication, for example, requires two independent factors. The knowledge factor, something you know, which is a password or a PIN. But of course, if you know it, someone else could know it, or you could forget it.
So, it's not ideal. And it's actually the biggest cause of breaches when it comes to security. The possession factor, something you have, this is better.
Ideally, only you have it, but of course, someone else could have it. It could break, it could run out of batteries.
So, improvement, but still not assuring that it is actually you, the owner of that account, that's logging in. So, inheritance is the best factor when it comes to making sure that the account owner is the person actually accessing the digital identity. And therefore, the importance comes down to being sure that the biometric authentication mechanism is secure, it's usable, it's resilient. And that's the focus of assessing that particular factor.
So, when you're assessing identity factors, there's kind of three preset factors you should consider. The activity, what is that user trying to do? The level of security that should be associated with that activity. And the usability, it needs to be easy, but how hard, what kind of processes can you be expected to require the users to do? And then within that, there's variables.
So, what is the threat landscape? Some companies are more targets of attackers than others. Threats change over time. The transaction itself, is this a low risk or a high risk transaction? You can measure that as well as a variable. And the value of what you access by completing that transaction successfully, whether that be monetary value or access to data or services that have an intrinsic value as well.
So, these are things to be considered. If we lay these out on a spectrum, we can look at from a low risk to high risk, for example.
So, from an activity in a context perspective, in a financial services example, viewing a bank balance, this is something probably all do very often. It's a low risk activity. It's not much that can be done with that, if an attacker is able to view your balance. But if you start transferring money, then the risk does increase. If you transfer it to someone you know, then it's not as high risk as it could be. But if you start transferring money to someone you've never transferred to before, then that is obviously much higher risk because you're unlikely to have transferred to a fraudster before.
And then creating a new account from scratch where there's no context, there's no past history of that user, or you might be applying for a loan. This is the highest risk of all. And these typically also scale with the number of transactions.
So, we probably view our bank balance multiple times a week, but we probably don't apply for loans or mortgages nearly so often. And so, from a security and resilience perspective, the factors can also be measured on a spectrum.
So, a password, it's low security ultimately. Once someone has that password, it will always work until you change it.
So, it is the lowest risk because there's no randomness. It's the same every time. And therefore, once it's stolen, it is stolen. Compared to a one-time passcode.
So, this is better. It means that if a one-time passcode is stolen, it can't be used again.
So, once it's used, it's useless. But of course, there's an additional piece of technology that needs to be used, which could also be stolen or replicated.
So, better, but we can do even better. So, biometrics, again, comes back to linking that actual account owner, that you are verifying that you are the user that you're claiming to be. And this comes down to liveness. How can we be sure that it is a real user? But of course, a real user can also be replayed. A bit like the password, if you can steal a user authenticating and it's the same action every time, for example, for liveness, and you can replay that, then you will pass because it is a real user performing the action as required.
So, the highest level of security and resilience is to create that one-time element, a bit like a one-time passcode, create a one-time biometric by ensuring that the data submitted for biometric authentication is different every time. So, making it incredibly hard to synthesize or create on the fly. But you should also consider usability. And actually, this goes along the same spectrum.
So, the most secure passwords are the most unusable. They're so complex, you can't remember.
So, you have to now write them down, which then does that become a possession factor. You have to store them somewhere, and that creates a vulnerability. The passcode, one-time passcodes are better, because you're given the passcode. It's different every time, but you still have to do something. You have to have a second device. You have to have a mechanism to provide that passcode.
So, biometric is more usable still, because it can, it is just you. You can't forget yourself.
So, yeah, it's very convenient. But typically, today, likeness tests require you to do something, perform an action to try and prove you're a 3D human, not a 2D photo or screen or something.
So, the one-time biometric, if the challenge response mechanism to make it unique, if that is passive, then that is the highest usability you can get. The user just has to hold still for a few seconds to authenticate. And the illumination can also provide additional information for assessing the 3Dness of the face as well.
So, if we summarize that as an overview, passwords are the lowest security and lowest usability mechanism. It's still ingrained in society, but we are making progress moving away from them. One-time passcodes are better, but they do still have an impact on usability. Biometrics are the most convenient, but some systems require you to perform actions.
So, therefore, passive one-time biometric offers the highest level of security and the highest level of usability. So, it's appropriate for the highest risk environments.
So, coming back to Martin's point, you don't have to compromise with security and usability. You can actually have them both where appropriate.
So, this all comes down then to assessing the performance of biometric systems. And this is where you can focus your efforts once including biometrics are a good answer to your authentication needs.
So, there are effectively three considerations. There's the face matching. This is protecting against impersonation attacks.
So, is it the right person or is it someone I found that looks enough like me to pass the face matcher? And ultimately, this is a solved problem in today's world. Face matching has become so good, it's been shown to have no measurable or significant biases across ranges of demographics.
So, it is fundamentally way better than humans. So, there's a big tick in that box.
So, now, how can we be sure that the face being presented is real? It's not a copy. Your biometrics, especially your face biometrics, they're not secret. You can find most people on LinkedIn and Facebook and so on.
So, how do I know it's a real person? And liveness is typically what's referred to as presentation attack detection. How do I make sure that it's not a photo being held up or screen or a mask? And trying to determine the 3D-ness of the face is typically how this is done, which usually requires the user to move or perform some action or show some variation in themselves that wouldn't happen if you're a static 3D or fixed object.
But if you have stolen a user authenticating, a video of them authenticating in the past, and you can replay that through injection attacks or man-in-the-middle attacks, some sort of cybersecurity technique, then it will pass because it is a real user. They were authenticating, it is the right person, but they're not there right now. It's a copy of them from yesterday or last week or last year.
So, the key is how can we be sure that they're authenticating in real time? And this is the concept of the one-time biometric, making sure that each authentication is unique, but critically not adding additional burden to the user in this process.
So, let's look at some use cases. A low-risk use case should be simple, fast, quick. Potentially, a single factor is sufficient versus a high-risk use case where you need a second factor. Possession is a good second factor, or it's a good factor to use because when you're authenticating, you're using a device, and a device can be a good factor to use.
So, mobile smartphones today have secure end layers or trusted execution environments, so you can be sure it's the same device as it was. Knowledge factors, as we've discussed, is not great.
So, inherence with strong license is a great combination with the possession factor to authenticate a user in a high-risk use case. So, some examples. In the workforce, if you're an employee and you're booking a desk or a room in a new hybrid world, then your company single sign-on mechanism is perfectly sufficient. It's a low-risk activity. But if you're logging on to a production server or accessing the finance system or HR system or something, it's really important that you be sure that only the people that are allowed to do that can actually access that system.
So, this is where introducing inherence as a factor makes a lot of sense. In a consumer use case, the banking use case, again, your balance, relatively low risk, not too much concern using a single factor. We will probably open our banking app to see our balance. We may use a local biometric, like a face ID or fingerprint or something, but it's still just a single factor. It's the device you're authenticating to, and that device is the possession factor.
So, not to be confusing, not to confuse biometrics on device as an independent second factor is not inherence. It doesn't identify you as you. It's just a convenience factor for replacing the PIN, for example. But if you're transferring funds, maybe a large amount, you're setting up an EPA, you're changing details, which can be used to recover your account, like your phone number or your email address.
Now, we need to be really sure that it is you. So, stepping up to include inherence as a factor makes a lot of sense.
So, identity assurance, there's multiple spectrums that need to be considered, and the activity, what users are going to do, the context in which they're doing it, and the security needed for that activity in that context. These are all measurable considerations, which should be taken into account. But you shouldn't be compromising usability. You shouldn't think, how much usability can I compromise to achieve these goals? And similarly, the threat landscape, this adds another dimension, because the threat is not static.
Particularly in biometrics, the advancements of deep fakes and AI, the threat to biometric systems is evolving rapidly. So, the key is resilience and how to be able to evolve the security as the threat changes.
So, activities that were low risk before the pandemic may not be low risk anymore, for example. Things change beyond that control, and being able to adapt to those evolving threat landscapes is key.
So, thank you. I hope you found that interesting. I'll pass back to Martin, and we can have a look at the poll results and have some Q&A.
Okay, great. So, we are right now up to Q&A, and we already have a couple of questions here. I'll move a bit further over here.
So, I think one you answered to a certain extent, and that is, can technologies like Apple's Face ID deliver the highest level of assurance to users? So, it definitely helps, but the key thing to remember is it doesn't actually identify you.
So, firstly, with Face ID, you can actually enroll two faces, and they don't have to be the same face. So, that highlights, again, how it could be one or two people when you're trying to identify only one. And secondly, if you know the pin to the device, you can reset your Face ID.
So, it's easy to think it's a biometric, it is a biometric authentication method. It does have good liveness, but it doesn't actually identify you. It doesn't provide any assurance that you are who you claim to be.
So, that's it. That's important to remember. The other consideration is, again, not all biometric, on-device biometric solutions are equal.
So, quite recently, I think, there was an assessment on a range of Android face, on-device face verification systems, and they were found to be vulnerable, some of them quite considerably vulnerable to spoofing. So, if you are saying, I accept a local biometric as an authentication, as a step up, it's very difficult to measure the level of assurance you're getting with the biometrics. Do you say only Apple Face ID? Do you say all Android? Because all Android are not equal.
So, it is good to have as an extra step, because it does protect against some aspects of attacking, being able to access the devices, a first good first step, but it shouldn't be relied upon to give you high assurance that it is the person who they claim to be. Okay.
So, at the end of the day, I think everything around authentication, we need to understand the sort of the real assurance level we can get from a technology. We must map this to our use cases.
So, which level of assurance do we need for which use case? I think the other side of the coin is, it's definitely better than username password. That's the other side of it. And I think also what we must understand, I think this is something which is frequently not understood that at least the sort of the higher end range of smartphones, or at least the mid-range up there, they always come with secure elements.
So, a lot of sensitive cryptographic information is stored on hardware in a very secure manner, which I think adds to that equation. But I think you're right. I can ask someone else to, I still have an iPhone SE, so I could ask someone to put his finger or her finger on my fingerprint reader and add these fingers to it as well, which is, by the way, not a bad idea for the devices I use in common with my wife. I need to keep this in mind. Maybe I do this this evening. Thanks for the hint. Okay.
So, how do we know that what biometrics threats are out there? What do you base this on?
So, if we exclude face matching, there are kind of two categories of attacks. There's the presentation attack and there's the digital injection attack.
So, a presentation attack is where you're, literally you're presenting something to the camera. So, whether that's a photo, a mask, a screen, something like that. You ultimately, you trust the imagery that is being supplied and you're looking for traits, clues, evidence that this user is genuine or that it's an attack.
So, there's a lot of work that has been done on trying to determine how good systems are from a presentation attack detection, parent detection, presentation detection perspective, but it's not a very scalable attack. Creating really high quality 3D masks that can spoof a system is a slow and costly process and so is not really the threat we see anymore. Many years ago, presentation attacks were the most common type of attack that we saw and is no longer the case.
Digital attacks, where you inject video into the system, you bypass the camera in some way, there's lots of mechanisms to do this, but you trick the system into taking a video feed that you have prepared or that you're creating on the fly and there are some techniques that you can use to try and detect this type of injection, which we do and others do, but it's ultimately futile because it's a bit like, you know, the jailbreaking and the rooting.
You try and detect whether something's being rooted and something bypasses that and it's a cat and mouse game and ultimately someone with enough knowledge and enough determination will be able to find a way to bypass injection detection. So, you have to spend more about 3D targeted attacks and not the sort of the mask type of attacks you're talking here.
Yes, exactly. So, a mask is targeting a particular victim. The presentation has to embody the biometric identity of the victim and that's what makes it time consuming and costly and then you have to have someone holding it up, whereas an injection attack, it may take a long time to build in the first place, but once you've got something working, you can now scale that attack as fast as you can run servers, basically.
So, it becomes a digital attack in its entirety and you can take victim spaces, LinkedIn or Facebook, you can create deep fakes and generative AI representations of them that perform movements and so on and then you can stream these into systems that think they're getting a real camera feed and the number of those types of attacks we've seen, face swaps, either someone really there that's got someone else's face overlaid or pre-generated or real-time generated deep fakes, these are the biggest threat now that we see.
Okay, we've got a couple of more questions here and we've also got some votes for the questions, so questions that people want an answer on. So, I think this is a bit of a tricky one, but anyway, I think we're going to give it a try. How would you categorize one-time biometric verification to the NIST 800-633 standards as an assurance authentication level in terms of confidence?
That is a good question and the reason it's a hard question is because the NIST 800-633 levels don't provide enough granularity to represent the threat and the mitigation to threats that exist today and so, you know, level of assurance one is effectively self-assertive, there's not really a huge amount of value in that. Level of assurance two requires more verification and more robust validation of that data and can be done online, so that's good, but level of assurance three requires an in-person check which obviously can't be done online.
So, we're looking at online identity verification, level one isn't good enough, level three is unachievable, so you only really have one level, level two, and level two doesn't have that granularity within it. But NIST are working on the fourth revision of this, it's in consultation, there's a draft out and many people including ourselves are contributing to it, so we hope to strengthen the definitions because again the concept of liveness was not really in the minds eyes of the authors back when the current published version was actually created, but very much is now, so.
Yeah, I think there are a couple of things that weren't done perfectly well at that time, but I think these things are evolving and the entire market and industry is evolving, but I remember also just a couple of weeks ago in a customer advisory, it's actually, and then what you said, so most is at level two and within level two we need actually way more grades, so this should be really split into something where you say, okay, I understand better, so that the weak or the strong end, so to speak, of level two to make it more flexible because, so the customer actually then had his own levels where he split level two into two layers at least, and I think this is something I'd like to see.
So, with the many questions we have here, I think we should try to respond a bit shorter than before. I'd like to pick one which I like because it's an interesting one. Within healthcare, say on the operating room or a surgery room, how would one use biometrics?
So, face recognition with mask caps will be questionable. What is the solution? Is it iris cam? Is this payable? Is this maintainable?
So, insights from our end. So, maybe I add one point here from my end. There are also things like wristbands and other things that take other biometric factors, so like not only the heartbeat but all the details around that, that also can, based on temperature, et cetera, actually gather some information about, is that person alive?
So, there are things out there. Many of these come with their challenges like supporting vital but not at speed and things like that.
So, you need to carefully evaluate, but I think I'm positive that we see an emerging industry for solutions that can be used in whatever laboratories, in healthcare, in other areas where you also sometimes going even further down into ATEX, so the explosive environments, et cetera, where common devices don't work as expected. Joe, anything to add here?
Yeah, I would just say that when you're in a controlled environment where you have access to hardware, where you can provide technology to people directly, you have many more options when it comes to verifying identity. So, a lot of what we talk about today is in the context of remote identity verification where you may only have a smartphone or a tablet or a laptop.
So, yeah, basically following on from what you're saying, you can use other solutions in that kind of environment. Okay. There's another question around the level of assurance. Is it fair to say that one-time biometrics alone has the same level of assurance compared to a two-factor authentication that consists of what you know and what you have? The risks to them are different. It's very hard to say that this equals that when the threats to them are different, but it's the approach we take.
So, what we suggest, for example, is when you onboard someone, you don't know who they are, you want to go through as rigorous as an identity verification process as possible. So, you want to use the highest level of assurance, the one-time biometric. Once you've ordered them and you've created their account and you trust them, you could now mark the device as trusted, you could have a private key in the secure enclave. And then when they come back to authenticate later, you can have a lower level of assurance if they're doing a lower activity.
So, you may not have the option of a second factor at account creation because you don't have any context that you can rely on previously from that user. So, that's when to use the one-time biometric. Let's pick one or two more questions. The one is the inherence factor. It's the highest assurance factor. By that logic, does video call verification also deliver the highest assurance? That is a good question. The problem with video calls is they suffer from a similar threat to the non-one-time biometric.
So, the kind of the liveness, active liveness, for example. It is now possible to render very realistic face swaps in real time on a computer with a GPU.
So, you could have a call with someone and you can effectively overlay someone else's face on yours and you can have a conversation with them. Your lips will move, the hair will blend, and it will become very hard for the other person to tell that you're actually, that the face swap is being performed, especially with video compression. If you've got a low network and your bandwidth is creating a bit blocky and so on and so forth, that hides also any telltale signs of possible face swap activity going on.
So, that is becoming less and less reliable as time goes on. And yeah, I would not put my trust in that type of mechanism for having future resilience. Okay. I would argue that we probably need to throw a bit of AI on that video at the end, because it's, if you spot one sort of mistake made in a face swap, which is easier to do than a perfect face swap, then you would have, again, an additional factor you can use for your risk calculation. But I think it's a continuous race that we are facing here where things are going forward.
So, let's take one more question, the final one. Is your biometric verification actually to be seen as an authentication or an identification? In case of identification, this question just moved somewhere else, in case of identification, it disappeared. Strange. It just disappeared in my tool. Sorry for that.
So, maybe let's start with identification versus authentication. So, our biometric authentication is only ever one-to-one.
So, it's not looking up a user in a database, for example, but it can be used for identity verification when combined with a photo. So, if you have a trusted image of someone, whether that's from a government database or from a passport you've read with NFC, or to some degree from an optical picture of a driving license or an ID card, it should be noted, though, of course, that there are, you can create very good quality fake ID cards.
So, you have to assess the level of trust you have on the image that you may crop of that person from a picture of a driving license, for example. But if you have an image that you are confident is the user that you want to allow in, then we can verify against that image as the source image of that source identity, and that becomes an identity verification process. Once you've done that, you can then obviously continue to authenticate that user against the same biometric profile that was created during that enrollment process.
Okay, perfect. Joe, with that, I think we've responded to most of the questions, at least.
So, thank you very much, Joe, for all your insights that you provided. Thank you very much to iProof for supporting this Google Analytics webinar, and thank you for everyone listening to this webinar and for all the questions you've raised that made a very interesting Q&A. Thank you and hope to have you back soon at one of our next virtual or physical events.
Thanks, Martin. Thank you.
