Last week we presented our webinar “The Consumerization of Authentication.” In it, we looked at recent trends that give consumers more voice and power in how they access and manage their online accounts, and at how the industry is responding to these concerns.

We received some excellent questions from a highly engaged digital audience. Here are some of the questions from the webinar along with our answers:

With one time passwords (OTP) via text, how do we expand the verification portion with telecomm data and make it more robust and accurate?

OTP via SMS is, frankly, a bit frightening because it has some inherent weaknesses that make it susceptible to session hijacking. This is one of the reasons NIST, in their recent authentication guidance under SP 800-63+3 is backing away from SMS-based one-time passwords. Some vendors like Vasco and Twilio are bringing in telecom data to make the authentication process more robust. Or customers could combine that data through a solution provider like Equifax, who can leverage the telecom ownership data as a risk check in an SMS OTP process.

Can you define the difference between Identity Proofing vs. Authentication?

In essence, Identity Proofing is an initial event while Authentication is a recurring event that — at a single point within the end-to-end processes — applies an identity proofing step. Identity Proofing is used in the initial steps to ensure that the person established in the authentication process is actually the person linked with the account in question. While it’s usually done as an initial, one-time step, many organizations are looking to create periodic "identity verification" steps that leverage Identity Proofing technologies.

Does iovation do the identity proofing? If yes, how?

No. But our Authentication and Fraud Prevention systems integrate with Identity Proofing to create part of a larger, more holistic Authentication+Fraud Prevention+Verification workflow.

When you combine all different methods in the consumer journey, how much would you expect the cost of a transaction to be? Has anyone done a study to estimate that?

So far we’ve not seen any studies that assess these costs when all these methods are used. Ideally, however, this costs would be transaction based and some would cancel the others out. For instance, if I have enough assurance to authenticate my user based on a good device print alone, I may need to be charged for an MFA check. However, if I need very high assurance — say, two MFA checks — then the ROI is probably also justified, because the cost of “getting it wrong” may be too much to bear.

Can you give an example of what machine learning would translate into a tangible authentication or ID Proofing strategy/policy?

This is an excellent question! Machine learning is still very nascent, and the use cases for it are evolving daily. Imagine, though:

  • Machine learning being used to test for 'liveness' in facial recognition scenarios (i.e., ensuring that the face being recognized is not a photo or video)
  • Machine learning that watches us “age” and anticipates minute changes in our facial profile
  • Machine learning that knows precisely how much an authenticating device should be allowed to change on a day-to-day basis

What role do you think FIDO will play in the future?

FIDO has set a new standard for decentralized, anonymous authentication architecture using mobile platforms. It will force an evolution of offer architectures. Some products, like iovation’s LaunchKey MFA offering, are designed with both of those same principles in mind. FIDO is, in effect, creating a new line on the bar that indicates “Your authentication solution needs to be this tall to ride the ride.” But like all “standards,” caution should be used because they can be slow to evolve. Let’s not dismiss new technologies and approaches just because they may be ahead of FIDO.

If you missed the webinar, you can watch an on-demand version of the webinar here:

ABSTRACT: A quantum shift in authentication is already underway, where user experience takes center stage, customer expectations soar, and we realize – painfully – that the tools we’ve used to authenticate within the enterprise simply won’t cut it “beyond the firewall” where most customers live. Now it’s time to learn from it.

In this on-demand webinar, you’ll learn:

  • How to move beyond outdated two-factor authentication to embrace the future of multifactor authentication
  • How existing customer expectations should drive your emerging multifactor authentication strategies
  • How a layered approach – interweaving different user authentication services – solves new problems
  • Promising technologies: what RSA 2017 taught us about new tools we can use

Most importantly, you will learn experiences from iovation subscribers who’ve been able to successfully balance user experience, massive scalability, and risk-appropriate authentication.