Authentication is done. What about Identification?
Posted on 23.12.2020 at 13:59
By Pavel Melnichenko, CTO
All our previous topics were about authentication – how to authenticate a user or a transaction, how to reduce risks of hijacking authentication data, how to prevent data substitution, score a device and many more.
We have been working around authentication and transaction confirmation technologies for a long time. And we made advanced products in this field. Yet, with the pandemic situation, we faced with a new challenge on how to personalize a user’s device to make him able to authenticate? To work with critical data is usual for us. These mean that we cannot just use login/password to authenticate a user. We have to provide strong cryptographic authentication with key distribution schemes. The usual case for technologies like this is to visit some authority personally as bank’s branch office, certification authority for PKI purposes or some customer service.
As I said before, the pandemic situation has made us confused.
According to security tutorials, there are three mechanisms to work with your user:
- identification (meet your client);
- authentication (has been done);
- authorization (usually is application level).
These mechanisms work from the first to the last. For example, you cannot authorize your user without authenticating him. You cannot authenticate him without identifying him.
We realized that our solutions cover the second step because we used to work with applications, which identifies a user by themselves. After identification, an application can personalize a user’s device with the authentication factor (private key in our case) and authenticate him in the future.
The modern request from our customers in pandemic situation became different: “we want you (means us) to provide us (means application holder) identified user with personalized device”.
This request became actual because of our customers (bank, FinTech, logistics, insurance) cannot meet user offline to identify him. Even before the pandemic situation, they were not glad to open branch offices. Pandemic became a catalyst to move identification from offline to online.
I know you think about many solutions called digital (or electronic) KYC (know your client). But if you will take a look a few paragraphs above, you will understand that eKYC covers identification step only. Our solutions cover the authentication step. Sure, advanced application holders and developers can combine eKYC and authentication factors distribution in their application, but this will lead to many efforts for developers and, as a result, costs increasing. At the same time, the product will be a multi-vendor solution, which is harder to support.
For us, the conclusion was obvious – we should try to combine eKYC and personalization process for authentication purposes together. Result solution will cover two of the most sensitive and complicated steps in remote interaction with a user – identification and authentication.
Moreover, the outcome of identification will be a user, who entirely ready for online communications: with user’s record in an application and with device personalized to authenticate a user himself and his transactions.
Before start, we formulated the essential requirements for the identification process (eKYC). Here they are:
- eKYC must be done with the user’s mobile device only
- onboarding process must be as simple as possible;
- eKYC must verify if there is an alive user in front of a mobile device (e.g. liveness detection);
- an application will wish to have a user’s photo to know a user (selfie);
- we have to ask a user to provide an identification document to get his name, age and so on;
- this document must contain a photo to compare with a selfie to be sure that there is a user’s document;
- we have to recognize fields of the document;
- we have to verify if the document is not a fake;
- we have to verify the document with external for us sources, like governmental databases, black-lists, police databases and so on;
- after success data collection, we have to provide an initial key set to the user’s device to start the personalization process for authentication in future and do this securely.
As you see, remote identification includes a set of complicated technologies based on mobile development, video analysis (liveness), face recognition (compare faces in liveness, selfie, id document), optical character recognition, images integrity checks, government integration and set of security mechanisms to finish personalization.
As one of the most important thing, it must be effortless for end-user.
Looking ahead, I can tell that we realized our vision in our solution – PayConfirm platform. The onboarding process for our user takes about 20 seconds and seems very simple. As a result – the user will have wholly fulfilled the record in the target application and device to control his actions (authentication and transactions confirmation). Application holder can be sure that a user has passed all the security checks, and the user’s data is correct. And all this has been done remotely.