Welcome to our Coco Analyst webinar Identity Assurance Using Biometrics. This webinar is supported by ipro and the speakers today are true Palmer, who is Chief Product and Innovation Officer at I Proof and me Martin Kuppinger. I'm Principal Analyst at Coco Analyst as common for our webinars. We'll start with a very quick housekeeping and first poll, have a look at the agenda and then we'll directly dive into the subject of today's webinar. So for housekeeping, you are muted centrally, so we are controlling these features. Nothing to do from your end. We'll run factually two polls during the webinar and if time allows, we'll discuss the results during q and a. We have a q and a session during the end of the webinar and you can use the features of the tool we are using. So in the the right hand side of the, the sort of the app or website, you'll find the q and a session and last and least we are recording the webinar and we will make the recording and the presentation available for download in the coming days.
So before we start, let's quickly start with a first poll here. And that poll is about does your organization offer sort of modern authentication, let's call it broadly. So passwordless, multi factor authentication, risk-based authentication to your consumers. So do you have something in place already for your consumers where you say, okay, our target is to offer them a modern, ideally also convenient way of authentication that is on the other hand, very secure, yes or no. Looking forward to your responses, we leave that out open for some 30 seconds or so. And as usual, the more participate in the poll, the more relevant and interesting the results will be. Okay, I think we then can close the poll and look at the agenda. So the agenda for today's webinar, as for most of our webinars are split into three parts. The first part I will talk about drivers for identity verification and proofing and what is around that because I think this is a really something which is very important to understand nowadays.
And then Joe will talk about the role of biometrics and lifeness detection and going more into detail into practical examples before we then do our q and a. I will take a bit less than 20 minutes and then has another presentation. And then as I said, we run the q and a. So verification is something which is, which always has been, has been important, but in, in, in an age where we work probably primarily online where even in business we, we rarely have touch points sometimes with the organization, a lot of us come to the office only every now and then there might be even people in the organization that never have been physically in an office of the organization. So verification is a very important thing because identities in, that's the other side of it, they are at the forefront of cybersecurity. When you look at all these, the readings you'll find around cyber attacks and it becomes apparent or becomes obvious that, that most of the attacks are in some way related to identities by phishing for credentials, et cetera.
So identities are a starting point. And also account take over or what is very common these days. Business email compromise where where someone tries to appear someone else, all these things have a, have an identity angle. So we need verified identities. They are essential to cyber security and fraud detection and fraud detection commonly builds on identity proving and behavioral analysis. And there are a couple of technologies around that partially overlapping certainly the, the identity proving the wedding stuff that's really about saying could this be Martin, maybe comparing with the, the, the e i D card, why a video, et cetera. So video identity stuff, et cetera also includes things like Martin alive, so liveness detection, which is easy, relatively easy to do in video then which becomes more way more complex in recurring access in other methods, the behavior, this is the normal behavior of Martin or is it different including biometrics, which can be more active.
Look looking at biometrics, passive biometrics, also understanding surely is there something impersonating Martin, is there a bot which is not really a person, but which tries to act as a person, understanding the wise and, and also understanding how well it credentials are. So are these sort of speak good enough, trustworthy enough credentials? We, we need to act on that front because as of said at the end, attacks build on or attack target identities and the credentials, they try to come in that way. And this is where we need to start our protection. And I think it also can be looked at from a different perspective. So when we look at how, how an access runs, it starts with me, the identity using a device, then going over network, being authenticated, being authorized, but at the very beginning it is me authenticating me being the one who comes in.
So that also needs to be done fast, specifically when we look at consumer use cases, but also for employees. People don't want to wait. So we need to do this at speed, we need to do this at speed. Specifically when we look at the digital business to succeed in the digital business, it's not just hinder us in onboarding users in recurring authentication because that is where acceptance goes down and maybe right out look at bit at the more the consumer side of use cases, when things become inconvenient, I think every one of us has a tendency to drop off during onboarding. I have to admit, I regularly, when when for instance trying to to purchase some goods online, I regularly stop and go to somewhere else when onboarding becomes cumbersome or when when I have been there and there this churn rate of recurring users and the thing only offers using a password and asks me again for the password, I don't have it in hand, I need to reset it.
The mail which should be sent to Meri doesn't arrive on time. The things got lost again, maybe sometimes even. So I've, I've put some goods into the, the shopping card and, and worst case experience, the shopping card is empty until I manage to reset my password. And that that that is where I won't come back. It's the churn rates, but it's also about process optimization. So every minute your employees are waiting costs you time. And if they have to wait a couple of times for small, even very small periods, it counts up, it sums up. And the overall user accept that tends goes down. And I think many of you may have experienced this, that when things go wrong with authentication, this is where people immediately react. So this is what, what what they, they feel, what they experience and what then makes the, the phone at the help desk ring and depending on what doesn't work and who is trying to authenticate it may make make the phone of the CIO ring.
And I think we can put this into a bit bit of a bigger context. So in in the digital age, age, it's really organizations rely on the digital services. The business is built on that digital services are baked to everything. They are the business, they are the way we, we we deliver to, to customers. So we need this smooth journey. And this is very much about identity and security. And this again goes into onboarding and recurring authentication. And here is where, where convenience and security come together. It must must be both because otherwise the digital service is at risk and we can't put it at risk because this is the core of our modern business. So we need to get a crib on that. And a very important element in that is really that we apply advanced biometrics, which also includes liveness detection to ensure that it's really someone who is sitting in front of the system, et cetera.
All these things come together to make this work. So because the differential services make us differentiate, we need to deliver them in a reliable way. We need to be able to update them. But we need, and this is on the more the right hand side, we need security or attack resilience and a smooth customer journey only then we will deliver the digital experience that makes our business succeed. This is at the end part of a competitive differentiation, but maybe more, more to the bad. So if everyone is perfect, fine, but the ones who are not good yet, they struggle. So it did in a negative sense, differentiates them from their peers. All this must also be accurate.
We all have heard about false positive rates and we need to minimize false positives because they are the negative thing, the lower user experience. We also need to minimize false negatives. And this is a very difficult, very tricky balance. So to ensure that everyone who's bad is left out, but all who are good so to speak can pass. We will never be perfect on that, but we need to come close to perfection only then we have an efficient risk reduction only then we have the user acceptance and we then reduce fraud at a good performance. And I think also every one of us is aware of these se scenarios where where, where you ask something in addition and that is fine, that is fair when it's adequate. When you do the search credit card transaction with the same device within 20 minutes and you're asked three times, the question is going over the top or or being the the right measure. So we need to do it very good and at least as I've said, we are, we need to be good in the balance between false positive, false negative. And that applies to everyone. I think this is also very important to understand it's every industry. So when we look at at the market then the banks, the finance industry, they have been the ones who started first.
But digital businesses ubiquitous. We need everywhere in retail and gaming. Gaming is a huge industry and insurance for telcos, for healthcare, travel and hospitality, government to citizen everywhere, we need to do it in an efficient manner. And we also need to understand that every industry is target of fraud. It's not just the payment industry anymore. Government, healthcare, retail. They are target of fraud. We need to protect our digital services with adequate measures and that starts with the identity. And we, we must underestimated risk. And this is one of these typical risk metrics is the point I really want to to look at is yes, there's the fraud in the high volume financial transactions and there might be a few incidents sometimes that are really targeted at this huge sort of huge fraud scenarios. But we also have these small things and if you have many, many small ones, retail potentially lower impact, but high frequency.
So at the end you're still at the right hand side in the red area, it's relevant for every business that we must deploy these technologies across all businesses nowadays, not just in the areas where we have it anyway for, for a while, like in the finance industry. And we need to do it in a way that is about zero friction. It must be seamless to the user user at least it must be so that the user feels that the benefit for the user is for him or her is higher than the impact. This is about acceptance. And the seamless thing is I think something which is very important. And, and one thing I I'd like to highlight here, and we can do a lot of things in modern authentication, behavioral analyzers that are really convenient and secure. And one of the sentences I feel is fundamentally wrong is we need to balance convenience and security.
No, you don't need to balance it, you need to combine it. Cause balancing means security goes up and convenience goes down or convenience goes up and security goes down. Neither of that is good, it's good if we can manage to have both at a high level, this is what we need to do ha do in our thinking. So the sentence balancing convenience security is just wrong. It's about the combination of both. And we have technology that helps you in doing so today and all this must be reliable. That means we need to factor in many indicators about the device, about the user behavior, about biometrics, things like liveness detection, like how the people are using their devices, what they are doing, which types of transactions they're doing, et cetera. And then we need to come up with a risk factor to make our decision.
And this must be something we do permanently always on, so to speak. Authentication must work always, it must work seamless, it must not disrupt business processes and there must not be bypasses to weaker methods. So we need to bake this into everything we are doing. And I think this is going a bit in, in a more inside topic, but I I want to bring up this, this survey results, we, we, we, we had a while ago, we did earlier this year, so data collected by or gathered by co coal analysts. And I think when we look at this then it becomes very clear that the type of how do we access, how do we or the, the, the area where we, where people think it's most relevant to look at where we deal with identities is consumer identities. This is really where, where people expect we have a better experience, good to use secure identities, but it's also that workforce and partner are becoming more important.
And what I, I predict this, that we still see a very significant uptake of the entire identity verification space when we do more in this decentralized identity work where we see you yada regulation, where we see the U I D wallet and all the other things emerging. So we need to be aware this is a, a topic which will become even more relevant. We must be ready for that. So before I hand over to Joe, a quick second poll, and this is really more about the entire area of behavioral biometrics. So what is your number one concern regarding the use of behavioral biometrics? So is it the fear of performance downgrade and authentication, making everything slower? I already workers' council, I'm from Germany, so I'm familiar with workers' councils. Is it this false, false positive versus false negatives or do you say I don't care, I'm used to it, I do it every day. So I give you 30 seconds. Looking forward to your responses. Thank you. And then with that I hand over to Joe Palmer, who right now will talk about the role of biometrics and liveness detection,
Right? So I'm gonna talk to you about the spectrum of identity assurance, which is how we see and measure the world from our perspective. So let's just look at the challenges and drivers when it comes to identity verification and authentication. Organizations today are going through digital transformation programs. So identity, as Martin said, is, is a key aspect that should be considered very much as part of this. And it gives you an opportunity to be first to beat your competitors. When you come to producing a digital solution, users are demanding it, you know, ever since the pandemic there's been an explosion in online services that replicate the versions that were in the physical world. And so responding to this demand is, is a, is a key requirement. And there are government digital identity initiatives as well. So the EU wallet that's being developed for the, for the nation states in Europe is a, a good example.
The mobile driving license in, in the us the governments are driving a lot of these being that they are the custodians of our identity in many ways. But of course this brings challenges. How do we create a mechanism of trust? How do I know that this digital identity can be trusted and how much can it be trusted? We have to drive adoption. You know, this needs to benefit the user and be easy to set up, otherwise it won't take off and, and it will be abandoned. The user experience has to be good, it has to be easier than the alternative and effortless. So it's is, you know, adopted by the users. And of course it needs to drive operational efficiency. We can't have digital solutions producing harder to manage backend office activities, for example. And of course there are multiple levels of security, you know, not all processes are equal. And so how do we assess the level of assurance that that is appropriate for each transaction?
So let's look at the factors. These are the three types of factor that we know and love today as, as we authenticate this is when you think of two factor or multifactor authentication, these are two independent factors. Strong customer authentication for example, requires two independent factors, the knowledge factor, something, you know, this is a password or a pin, but of course if you know it, someone else could know it or you could forget it. So it's not ideal and it's actually the, the biggest cause of breaches in when, when it comes to security. Cause the possession factor something you have, this is better, you know, ideally only you have it, but of course someone else could have it, it could break, it could run out of batteries. So improvement but still not assuring that it is actually you, the owner of that account that's logging in. So inherent is the best factor when it comes to making sure that the account owner is the person actually accessing the digital identity. And therefore the importance comes down to being sure that the biometric authentication mechanism is secure, it's usable, it's resilient, and that's the, the focus of, of assessing that particular factor.
So when you are assessing identity factors, there's kind of three preset factors. You con you should consider the activity, what is that user trying to do? The the level of security should be associated with that activity and the usability it needs to be easy, but how, how hard? Yeah, how, what kind of processes can you be expected to sort of require the users to do? And then within that there's, there's variables. So what is the threat landscape? Some companies are more targets of attackers than others. Threats change over time. The transaction itself, you know, is this a, a low risk or a high risk transaction? You can, you can measure that as well as a, as a variable and the value of what you access by completing that transaction successfully, whether that be monetary value or access to data or, or services that, that have an intrinsic value as well.
So these are, these are things to be considered and if we lay these out on a, on a spectrum, we can look up from a low risk to high risk, for example. So from an activity in a context perspective, in a, in a financial services example, viewing a bank balance, this is something probably all do very often it's a low risk activity. It's not, it's not much that can be done with that. You know, if an attacker is able to view your balance, but if you start transferring money, then you know the risk does increase. If you're transferring it to someone you know, then you know it's not as high risk as it could be. But if you start transferring money to someone you've never transferred to before, then that is obviously much higher risk because you're unlikely to have transferred to a, to a Ford store before and then creating a new account from scratch where there's no context, there's no past history of that user where you might be applying for a loan. This is the highest risk of all. And these typically also scale with the number of transactions. So we probably view our bank balance multiple times a week, but we probably don't apply for loans or mortgages nearly so often.
And so from a security and resilience perspective, the factors can also be measured on a spectrum. So a password, it's, it's low security. Ultimately, once someone has that password, it, it will always work until you change it. So it is the, it is the lowest risk because there's no randomness, it's the same every time and therefore once it's stolen, it is stolen compared to a one-time passcode. So this is better, you know, it means that if a a one-time passcode is stolen, it can't be used again. So once it's used, it's, it's, it's useless. But of course there's a, you know, there's an additional piece of technology that needs to be used, which could also be stolen or replicated so better, but we can do even better. So biometrics again, comes back to linking that actual account owner that you are verifying that you are the user that they claim that, that you're claiming to be.
And this comes down to, to liveness. How can we should be sure that it is a real user, but of course a real user can also be replayed a bit like the password. If you can steal a user authenticating and it's the same action every time, for example, for liveness, and you can replay that, then you'll pass because it is a real user performing the action as required. So the highest level of security and resilience is to create that one-time element, a bit like a one-time passcode. Create a one-time biometric by requiring, by, by ensuring that the data submitted for biometric authentication is different every time. So making it incredibly hard to synthesize, create on the should also consider usability. And actually this, it goes along the same spectrum. So the most secure passwords are the most unusable. You can't, they're so complex you can't remember. So you have to now write them down, which then does that become a possession factor? It's you have to store 'em somewhere and, and that creates a vulnerability.
The, the passcode one time passcodes are better because you are given the passcode. It's different every time, but you still have to do something, you have to have a second device. You have have to have a mechanism to provide that passcode. So biometric is more, more usable still because it can, it is just you, you can't forget yourself. So you know, it's, it, it's very convenient. But typically today, liveness tests require you to do something form an action to try and prove your, your 3D human, not a 2D photo or screen or something. So the one-time biometric, if a, the challenge response mechanism to make it unique, if that is passive, then that is the highest usability you can get. The user just has to hold still for a few seconds to authenticate. And the illumination can also provide additional information for, for assessing the 3D of the face as well.
So if we summarize that as an overview, pass passwords are the lowest security and lowest usability mechanism. It's still in ingrained in society, but we are making progress moving away from them. One-time passcodes are better, but they do still have an impact on usability. Biometrics are are the most convenient, but some systems require you to perform actions. So therefore passive one-time biometric offers the highest level of security and the highest level of u usability. So it's appropriate for the highest risk environments. So coming back to Martin's point is you, you don't have to compromise with security and usability. You can actually have them both where appropriate.
So this all comes down then to assessing the performance of biometric systems. And this is, this is where you can, you can focus your efforts once including biometrics are a good answer to, to your authentication needs. So there are effectively three considerations. There's the face matching, this is protecting against impersonation attacks. So is it the right person or is it someone I've found that looks enough like me to pass the face matcher? And ultimately this is, this is a solved problem in today's world, face matching has become so good, it's been shown to have no measurable or significant biases across ranges of, of demographics. So it is fundamentally way better than humans. So that is a bit, there's a big tick in that box. So now how can we be sure that the face being presented is real? It's not a copy. You know, your biometrics, especially your face biometrics, they're not secret. You can find most people on LinkedIn and Facebook and so on. So how do I know it's a, a real person And liveness is typically what's referred to as presentation, attack detection. How am I sure that it's not a photo being held up or screen or a mask And trying to determine the 3D ness of the face is typically how this is done, which is usually requires the user to move or perform some action or show some variation in them themselves. That that wouldn't happen if you're, you are static 3D or fixed object.
But if you have stolen a user, authenticating a video of them authenticating in the past and you can replay that through injection attacks or man in the middle attacks some sort of cybersecurity technique, then it will pass because it is a real user. They were authenticating it is the right person, but they're not there right now. It's a copy of them from yesterday or last week or last year. So the key is how can we be sure that they're authenticating in real time? This is the concept of the one-time biometric, making sure that each authentication is unique but critically not adding additional burden to the user in this process.
So let's look at some use cases. You know, a low risk use case should be simple, fast, quick, potentially a single factor is sufficient versus a high risk use case where you need a second factor possession is a good second factor or it's a good factor to use because when you are authenticating, you are using a device. And a device can be a good factor where while smartphones today have secure end players or trusted execution environment, so you can be sure it's the same device as it was. Knowledge factors as we've discussed is is not great. So inherent is a we strong liveness is a, a great combination with the possession factor to authenticate a user in a high risk use case. So some examples in, in the workforce, if you are an employee and you are booking a a desk or a room in a new hybrid world, then your company single sign on mechanism is perfectly sufficient.
It's a low risk activity. But if you are logging onto a production server or accessing the finance system or HR system or something, it's really important that you be sure that the only the people that are allowed to do that can actually access that system. So this is where introducing inheritance as a factor makes a lot of sense in a consumer use case. The, the, the banking use case feeling your balance relatively low risk, not not not too con much concern using a single factor. You know, we will probably open our banking apps, see our balance, we may use a local biometric like a face ID or a fingerprint or something, but it's still just a single factor. It's the device you are authenticating to and that device is the possession factor. So not to be confusing, not to confuse biometrics on device as a independent second factor is not inherent. It doesn't identify you as you, it's just a convenience factor for replacing the pin, for example. So, but if you're transferring funds, maybe a large amount, you're setting up a new payee or changing details which can be used to recover your account like your phone number or your email address. Now we need to be really sure that it is you. So stepping up to include inheritance as a factor makes a lot of sense.
So identity assurance, there's multiple spectrums that need to be considered and the activity, what users are trying to do, the context in which they're doing it and the security needed for that activity in their context. These are all measurable considerations which should be taken into account. But you shouldn't be compromising usability. You shouldn't think how much usability can I compromise to achieve these goals. And similarly, the threat landscape, this adds another dimension because the threat is not static, particularly in biometrics, the advancements of deep fakes and ai, the, the threat to biometric systems is, is evolving rapidly. So the key is resilience and how to be able to evolve the security as the threat changes. So activities that were low risk before the pandemic may not be low risk anymore, for example, things change beyond that control and being able to adapt to those evolving threat landscapes is key. So thank you. I hope you found that interesting. I'll pass back to Martin and, and have a look at the poll results and have some Q and a.
Okay, great. So we are right now up to q and a and we already have a couple of questions here. I moved a bit further over here, so, so I, I think one, one you answered to, to a certain extent, and that is can technologies like Atlas face Id deliver the highest level of assurance?
So it definitely helps, but the key thing to a member is it doesn't actually identify you. So firstly with face id, you can actually enroll two faces. They don't have to be the same face. So that highlights again, how it could be one or two people when you're trying to identify on only one. And secondly, if you know the pin to the device, you can reset your face id. So it's easy to think it's a, it's a biometric, it is a biometric authentication method. It does have good liveness, but it doesn't actually identify you, it doesn't provide any assurance that you are who you claim to be. So that's it, that's important to remember. The other consideration is, again, not all biometric on device biometric solutions are equal. So quite recently I think there was an assessment on a range of android face on device face verification systems and they were found to be vulnerable quite some of them quite considerably vulnerable to spoofing.
So if you are saying I accept a local biometric as an authentication as a step up, it's very difficult to measure the level of assurance you're getting with the biometrics. Do you say only apple face id, do you say all Android? Because all androids are not equal. So it is, it is good to have as an extra step because it, it does protect against some aspects of, of, you know, attacking, being able to access the devices a first goods first step. But it shouldn't be relied upon to give you high assurance that it is the person who they claim
To be. Okay. So at the end of the date nails down to I think everything around authentication, we need to understand the, the sort of the real assurance level we can get from a technology and we must map this to our use cases. Yeah, so which level of assurance do we need for which use case? I think the other side of the coin is it's definitely better than username password.
That's
Right. That's the other side of it. And I think also what we must understand, I think this is something which is frequently I understood that at least the sort of the higher end range of smartphones or at least the mid range up there, they, they always come with secure elements. So a lot of sensitive cryptographic information is stored on hardware in a very secure manner, which I think adds to that equation. But I think you're right, I can ask someone else to, I still have an iPhone se so I could ask someone to, to put his finger or her finger on my fingerprint read and add these fingers to it as well, which is by the way not, not a bad idea for the devices I use in common with my wife. I need to keep this in mind. Maybe I do this this evening. Thanks for the hint. Okay, so how do we know that what biometrics threats are out there? What do you base this on?
So there are two. So if we exclude face matching, there are, there are kind of two categories of attacks. There's the presentation attack and there's the digital injection attack. So a presentation attack is where you are literally you are presenting something to the camera. So whether that's a photo, a mask, a screen, something like that, you ultimately, you trust the imagery that is being supplied and you are looking for traits, clues, evidence that this user is genuine or that it's an attack. So there's a lot of work that has been done on trying to determine how good systems are from a presentation, attack detection pad detection, present detect detection perspective, but it's not a very scalable attack. PR creating really high quality 3D masks that can, can spoof a system is a slow and costly process and so is not really the threat we see anymore.
Many years ago, presentation attacks were the most common type of attack that we saw that is no longer the case. Digital attacks where you inject video into the system, you bypass the camera in some way. There's lots of mechanisms to do this, but you trick the system into taking a video feed that you have prepared or that you are creating on the fly. And there are some techniques that you can use to try and detect this type of injection, which we do and, and others do. But it's ultimately futile because it's a bit like, you know, the gel breaking and the rooting. There's you, you try and detect whether something's being rooted and something bypasses that and it's a cat and mouse game and ultimately someone with enough knowledge and enough determination we'll be able to find a way to bypass injection detection. So
You have to then it's more about really the targeted attacks and not the sort of the mask type of attacks you're talking here.
Yeah, so it's, it is exactly, so a, a mask is targeting a particular victim. The presentation has to embody the biometric identity of the, of the victim and that's what makes it time consuming and costly. And then you have to have someone holding it up. Whereas an injection attack, it may take a long time to build in the first place, but once you've got something working, you can now scale that attack as fast as you can run servers basically. So it becomes a, a digital attack in its entirety and you can take, you can take victims faces from LinkedIn or Facebook. You can create deep fakes and generative AI representations of them that perform movements and so on. And then you can stream these into systems that think they're getting a real camera feed and the number of those types of attacks we've seen face swaps, either someone really there that's got someone else's face overlaid or pre-generated or real-time generated deep defects. These are the biggest threat now that we see.
Okay.
The scary thing is their scalability.
Okay, we got, got a couple of more questions here and we also got some words for the questions. So questions that are where people want, want an answer wrong. So what I think this is a is a bit bit a tricky one, but, but anyway, I think first to give it a try, how would you categorize one-time biometric verification to the NIST 806 3, 3, 3 standards as an auth assurance authentication level in terms of confidence?
It's, that is a good question and the reason it's a hard question is because it doesn't, the, the NIST 863 levels don't provide enough granularity to represent the, the threat and the mitigation to threats that exist today. And so, you know, level of assurance one is, is effectively self-assertive. There's not really a huge amount of value in that level of assurance. Two requires more verification and a more robust validation of that data and can be done online. So that's good. But level of assurance three requires an in-person check, which obviously can't be done online. So we are looking at online identity verification level one isn't good enough. Level three is unachievable, so you only really have one level, level two and level two doesn't have that granularity within it. So, but n iStar working on the fourth revision of this, it's in consultation, there's a draft out and many people including ourselves are contributing to it. So we hope to strengthen the, the definitions because again, the, the, the, the concept of liveness was not really in the mind's eyes of the authors back when the current published version was actually created, but very much is now. So
Yeah, I I think there, there are a couple of things that weren't done perfectly well at that time, but I think these things are evolving at the entire, entire market and industry is evolving. But I remember also just a couple of weeks ago in a, in a customer advisory, it factually ended in what you said the most is at a, at level two and, and within level two we need factually way more grades. So this should be really split into something where you say, okay, I understand better is that the, the weak or at strong end so to speak of, of level two to make it more, more flexible because, so at the customer factually then at his own levels where he split level two into two layers at least. And I think this is something I'd like to see. So wi with the many questions we have here, I think we should try to respond a bit short than before.
Sure, yes. I'd like to pick one which I, which I like because it's an interesting one. Within healthcare, say on the operating room or surgery room, how would one use biometrics? So face recognition with mass caps will be questionable. What, what is the solution is I cam is this payable as this mean tenable. So insights from our, so maybe I add one point here from, from my end, there are also things like wristbands and other things that take other biometric factors. So, so like not only heartbeat, but all the details around that that also can, based on temperature, et cetera, surely gather some information about is the personal alive. So, so there are things out there, many of these come with their, their challenges like supporting Fido but not at speed and things like that. So you need to, to carefully evaluate, but I think I'm, I'm, I'm positive that we see an emerging industry for solutions that can be used in whatever laboratories in in healthcare in other areas where you also sometimes going even further down into atex, so the explosive environments, et cetera, where where common devices don't work is expected show anything to add here?
Yeah, I would just say that when you can, when you're in a controlled environment where you have access to hardware, where you can provide technology to people directly, you, you have many more options when it comes to verifying identity. So a lot of what we talked about today has is in the context of remote identity verification where you may have a smartphone or a tablet or, or a laptop. So yeah, basically following on from what you are saying it's you, you can use other solutions in that kind of environment.
Okay. There's another question around the, the level of assurance. Is it fair to say that one time biometrics alone, it's the same level of assurance with compared to a two factor, a indication that consists of what you know and what you have
The risks to them are different? It's very hard to say that this equals that when, when the threats to, to them are, are, are different, but it's the, it's the approach we take. So when what we suggest for example is when you onboard someone you don't know who they're, you, you want to go through as, as rigorous as an identity verification process as possible. So you want to use the highest level of assurance, the one-time biometric. Once you've ordered them and you created their account and you trust them, you could now lo mark the device as trusted. You could have a private key in the secure enclave and then when they come back to authenticate later, you probably don't, you can have a lower level of assurance if they're doing a lower lower activity. So you may not have the option of a second factor at account creation because you don't have any context that, that you can rely on from previously from that user. So that's when to use the onetime biometric. Okay,
Let's pick one or two more questions. The one is the, in the inheritance factor, it's the highest insurance factor. By that logic, does video call verification also deliver the highest assurance?
That is a good question. The problem with video calls is they suffer from the, a similar threat to the, the non onetime biometric. So the kind of the the, the liveness active liveness for example, it is now possible to render very realistic face swaps in real time on, you know, a computer with a G P U. So you could have a call with someone and you can effectively overlay someone else's face on yours and you can have a conversation with them. Your lips will move, the hair will blend and it will become very hard for the other person to tell that you are actually, that a face swap is being performed, especially with video compression, if you've got a low network and your bandwidth is is is creating a bit blocky and so on and so forth, that hides also any telltale signs of, of possible Facebook activity going on. So that is becoming less and less reliable as time goes on. And yeah, I would not put my trust in that type of mechanism for having future resilience.
Ok. I I I would, I would argue that we probably need to throw a bit of AI on that video ident because it's, if you, if you spot one, one sort of speak mistake made in a face swap Yeah. Which is easier to do than a perfect face swap, then, then you, you, you would have again an, an additional factory you can use for your risk calculation. Yeah. So, but, but I think it's, yeah, a continuous race or that we are facing here where things are going forward. Take, let's take one more question. The final one is your biometric verification actually to be seen as an authentication or an e identification in case of identification? This question just moved somewhere else in case of identification. It disappeared. Strange. It just disappeared in my tool. Sorry for that. So, so maybe let's start with identification versus authentication.
So our, our biometric authentication is only ever one to one, so it's, no, it is not looking up a, a user in a, in a, in a database for example, but it can be used for identity verification when combined with a photo. So if you have a trusted image of someone, whether that's from a government database or from a, a passport you've read with N F C or to some degree from an optical picture of a, a driving license or an ID card. To be noted though of course, that there, there are, you can create very good quality fake ID cards. So there's a, you have to assess the level of trust you have on the image that you may crop of that person from a picture of a driving license for example. But if you have an image that you are confident is the user that, that, that you want to allow in, then we can verify against that image as the, as the source image of, of that source identity and it becomes an identity verification process. Once you've done that, you can then obviously continue to authenticate that user against the same biometric profile that was created during that enrollment process.
Okay. Perfect. Joe, with that, I think we, we've responded to most of the questions at least. So thank you very much Joe for all your insights that you provided. Thank you very much. I approve for supporting this Analyst webinar and thank you for everyone listening to this webinar and for all the questions you've raised, just made a very interesting q and a thank you and hope to have you back soon at one of our next virtual or physical events.
Thanks.
