Security by combination

Multimodal biometric detection

Authentication with username and password is vulnerable. If the digital transformation is to be successful, new and, above all, safe methods are needed to protect the digital identity. The solution is to combine different authentication methods.

At the end of the Odyssey Homer applies what may well be one of the earliest examples of multimodal authentication: The hero, returning home after 20 years, is tested by his wife Penelope in two ways before she believes that he really is her missing husband – is he strong enough to string his mighty bow, and does he know why the marital bed is built immovably around a tree? Two out of three factors of authentication are applied here: "something that you are" and " something that you know". The legend shows a problem which is also important in biometric authentication: How do you recognize a person which naturally changes a little every day? The solution is multimodal recognition.

 

What is the value of the digital ego?

The more areas of life are touched by the digital transformation, the more often the physical ego can be replaced by a digital identity. In the past, it was necessary to go to the bank for a money transfer. Today, this is done by online banking – independent of location and time. Whoever holds the login and TAN data along with the terminal device can dispose of our money instead of us.

The conventional combination of username and password is vulnerable: Simple passwords with a long live increase the risk of having already been spied out. Complex passwords that often need to be changed overtax the user. According to a study by the Ponemon Institute, presently, every third user asks for a forgotten password once a month.

If the digital transformation – and with it, the Internet of Things (IoT) – is to become a success, we need new methods to protect the digital identity.

 

Qualities of the virtual butler

How do you design a system that ideally combines the aspects of security with user friendliness? To replace one kind of authentication, such as username and password, with another is not the answer. Neither iris or vein scan, nor voice recognition, nor any other method alone will solve the problem. Rather, a sophisticated system has to verify the identity of the user. This system is the basis for a combination of different authentication methods.

 

To do this, specialized partners need to work together to combine best-of-breed authentication components to form a reliable assistant. The assistant knows the person, its preferences and habits and those of its employer. This digital butler, as offered, for example, by the partner ecosystem of NEVIS, needs to have a number of characteristics:

 

Ability to learn:

At the beginning of its service, the butler needs to get to know the user in all relevant dimensions. The user's personal and contact data, equipment, services and service platforms he or she uses, but also the necessary biometric data such as physiognomy and typing pattern, voice, vein or iris pattern. Furthermore, the system cannot freeze on the level it once learned. The digital butler needs to update its recognition pattern regularly.

Adaptability and intelligence:

Not every occasion requires the same degree of security. The digital butler should choose the "level of assurance", i.e., the required level of authentication, accordingly. The butler should be equally adaptive in case of deviations from the stored authentication patterns. If the voice recognition fails because of a cold, this is no reason for an alarm. But if someone tries to log on with an unknown terminal at an unusual time at a distant place, the failure of the voice recognition is a very good reason to ask for further evidence of identity.

Vigilance and fast reaction:

The more features differ from the known patterns during an attempted authentication, the more suspicious the digital butler becomes, and the more stringent the criteria it should apply. If the "risk score" reaches a certain level, the system should check immediately whether a fraud attempt is behind the observed irregularity and prevent access, given the case.

Convenient use:

Cumbersome safety measures induce the user to avoid them. Many biometric methods such as facial recognition or analysis of typing behavior require very little active human involvement and are therefore suitable for everyday authentication.

Reliable data protection and transparency:

Because the digital identity is so important, the user must know whether and when it is applied and to what purpose. Similarly, the data used for authentication must be secure and its access must be clearly regulated and transparent.

 

This combination of context-based, multimodal authentication, the intelligent detection of deviations and the reaction to it is offered by platforms such as the NEVIS Security Suite by the Swiss software company AdNovum. In Switzerland NEVIS already protects 80 percent of all online banking transactions. The security suite combines best-of-breed expertise by technology partners such as BioID or Behaviosec. The partners are specialists in their respective biometric disciplines:

 

The facial recognition solution by the company BioID uses the smartphone's camera to secure banking transactions. This extra effort for the user is barely higher than entering a TAN, and it renders the user clearly identifiable in a very natural way. The patented life detection additionally protects against manipulations with photos or videos. It is important that not a complete picture of the user is stored for his or her authentication, but rather a "template". This is an adjusted and reduced data representation of biometric features. This operation is not reversible. You cannot calculate an image of the person from the template.

 

The behavior of a person also renders it clearly identifiable, and can be used as an additional security level. Depending on which device is used, the technology of Behaviosec records and analyzes the dynamics of keyboard input, mouse movements, touch gestures or the way a smartphone is held. These behaviors are unique to each user. Without additional effort the solution is transparent to the user and significantly increases security: Username and password do not just work as usual as a simple protection mechanism. The manner how the authorized owner enters them ensures its identity.

 

Conclusion

The digital butler as companion and guarantor of our digital identity is set to play a major role. It relies - unlike conventional systems with rigid mechanisms - on authentication with intelligent, context-informed methods.

 

Already Penelope had challenged her spouse by means of multimodal authentication to prove that he was the person he claimed to be. We still need to be sure, 2,700 years later, that we as users are reliably identified and that the access to our digital ego is not misused.