KYC is a perfect choice for onboarding your customer. It is quick to do and provides all the required information the business needs to know. Coupled with the AML compliance tool, it might seem that your current onboarding process is complete. However, a missing piece here is customer re-authentication after the initial onboarding. This blog post will cover why face authentication can significantly enhance your KYC to tackle this issue.
How does the current identity verification process work?
The customer onboarding process usually starts with the customer providing personal information like name, address, date of birth, etc. The business then uses this information to verify customers’ identities against databases. If the verification is successful, the customer is then asked to provide additional KYC documents like a passport or driver’s license. The automated ID document verification uses OCR to extract and recognize symbols from captured documents. Then a trusted identity verification solution will verify authenticity, match faces using face recognition technology, and completes the onboarding flow. If needed, a manual supervision team will also supplement verification flow, especially with older documents or to comply with specific rules within a country. All of these steps were declared in the 5th AML directive, so companies must comply with Anti-Money Laundering (AML) regulations.
When do you need to authenticate the customer again?
The customer completes the identity verification flow, but his interactions inside your platform are not finished yet. There is a possibility of fraudulent events occurring during the customer activity months after onboarding. We gathered a short list of the most common occasions when you need to verify identities again:
- The customer performs an unusually high-value transaction. You can’t simply allow customers to continue just like that since it poses a significant account takeover threat.
- The customer decides to change his mobile phone or use your service from a newly detected location. Simple password protection is not enough since it could be a widespread password security breach nowadays.
- Inactive accounts want to perform transactions. In this case, an additional check like face authentication should also be enforced since the account could be taken down already by having the credit card data compromised without the customer even knowing it.
- If the customer wants to perform an account reset or change the email address with other authorization credentials, then face authentication would come as the first line of defense. Fraudsters use stolen email access to overwrite authorization credentials without the customer’s awareness.
Isn’t Two-factor authentication the answer?
Every day we indeed use two-factor (2FA) authentication for daily logins, believing it is a secure way of authentication. When why did Data Breach Investigation Report by Verizon in 2021 reveal that 61% of all security breaches occurred due to stolen credentials? It is because something straightforward as 2FA is very much vulnerable to SIM swap attacks. If you are Twitter or his founder Jack Dorsey fan, you should be aware of the incident in 2019, where Jack’s Twitter account was hacked with this exact method. To understand how this data breach attack works, it is essential to consider the relationship between identity and your phone number. Identity is something that belongs to You, while a phone number is issued by another third-party entity – your local phone number provider. As a result, you start depending on another authority to keep your identity safe, exposing you to a potential vulnerability.
During the preparation of a SIM swapping attack, a clever fraudster would start gathering all your details, including your phone number, Social Security number, personal code, and date of birth. When he finally feels ready, he will contact your phone number carrier, and by impersonating you, he will try to convince the operator to port your current phone number to a new SIM card in his possession. Also, it doesn’t help that phone operators don’t perform phone verification checks against fraudsters and original phone numbers, which would showcase IP or roaming network differences (unless fraudsters make a call from the victim’s location). As soon as phone porting occurs, your existing SIM card will stop working since there will be a phone activation period, complicating the fraud attack even further. As a result, you won’t be able to call your local carrier; the only way would be to drive physically to the location to get details about the ongoing issue. Some of the people, who suffered from this attack, did precisely this.
The potential damage will solely depend on how frequently you choose a one-time password (OTP) as an authentication method for your services. Hackers can take over your email, PayPal accounts, or even accounts in cryptocurrency exchanges since temporary PIN codes sent via SMS or email are one of the most preferred authentication choices. On the other hand, face authentication could prevent account takeover of this type since it is purely tied to your biometrics, and there is no need to entrust your identity to your local phone carrier. You are entirely in control of your identity using face authentication.
Why does face authentication solve security breaches?
It would be great to know a high-level overview of how it works to understand why facial recognition technology is the right tool for a job. A facial recognition software can utilize stored biometric data to run checks across face recognition databases. In short, once a customer completes his KYC journey, you can choose to keep his encrypted facial biometrics. Once it is stored, all you need is to perform face recognition (ideally coupled with a 3D face recognition technology) to compare stored data with newly received one. Then the facial recognition software ensures that the same person performs a biometric check. Now, if we would go back to the previous examples, it would become much clearer to understand the benefits of face authentication.
- For instance, before submitting a request for high-value transactions, a customer would need to perform a quick facial recognition. Face authentication would not disturb his checkout flow since facial recognition systems can easily be blended into the existing flow.
- Location change and mobile phone switch is not an everyday event; that’s why your customer should not be mad for asking him to re-authenticate himself.
- Face authentication for inactive accounts should not be a highly demanding task. They most likely are happy about it since they immediately would notice that your security practices protect their account.
How can you get started?
A well-structured facial recognition system should be integrated into your software without additional hassle. We followed this idea strictly and designed our face authentication to match those needs. Whether it is a mobile application or a web-based solution, all you need is to perform our identity verification. After that, you need to generate an authorization token, and the customer is asked to perform simple facial movements inside his mobile phone or browser. It doesn’t take longer than 30 seconds since there is no standard KYC onboarding flow.
Face authentication is a separate module; as a result, it requires only a single step to perform verification successfully. You don’t need to select a document and a country. The document and selfie pictures are not needed too. It is as simple as it sounds.