Hello and welcome to our webinar today. I'm John Tolbert, director of Cybersecurity Research here at Co Cole. Today I'm joined by Pascal er, who is I a m architect and executive director at U B S. Welcome, Pascal. Our Hi
Everyone.
Our topic today will be digital transformation and financial services using biometrics. So a few logistical things before we get going here. Everyone's muted centrally. There's no need to mute or unmute yourself. We will be doing a couple of polls at the end of my presentation before Pascal starts. So please get ready to participate in the polls and we'll show the results at the start of the q and a session. And we will have a q and a session just after that, before the end. And both the recording, we are recording this and the recording and the slides will be available in a couple of days time. So with that, I'm gonna start off talking about the business drivers, which are largely financial regulations and the need to prevent fraud and how biometrics can be used for both onboarding registration as well as authentication. Then I'll turn it over to Pascal, then we'll do the polls and q and a at the end. So first up, identity assurance for financial services. Like I said, two of the biggest drivers are complying with regulations in various places around the world and trying to prevent fraud.
So let's look at the financial regulations first. There are essentially lots and lots of lists that have to be checked, and it really depends on which country, which government. There are some differences in how the laws are enacted and enforced, but broadly speaking, we see, you know, four major kinds of regulations and practices that need to be in place for financial institutions. The first of which is anti-money laundering. We call that a M L. This is to prevent exactly what it sounds like, money laundering, you know, this might be drug money, terrorist financing money. So you really need to know who the person is, who's trying to open an account, know your customer. This is sort of an extension of that. This requires, you know, identity proofing and really ongoing identity proofing or periodic identity proofing, where you want to know that the person is still in control of that account.
And you have the updated information, whether that's email address, physical address, phone number, you know, other financial information about a person, the account holder. These are things that need to, need to be updated on a, on a regular basis. Then we have pep, politically exposed persons. These are, you know, perhaps politicians, prominent people, their families, anybody who might be, you know, susceptible to things like bribery or kidnapping. So these are other reasons why you might need to do some screening. Lastly, we have sanction screening. We've heard about this for quite a bit in the last couple of years because of the war, people, companies, organizations get put on the sanctions list. And as a financial institution, you wanna make sure that you're not transferring money or, or holding money for people or organizations that are sanctioned.
Another regulation that we should talk about or actually directive is the EU revised Payment Service Directive. As a directive, it's a little bit different than a regulation. It had to be ratified individually by all the member states and put into place. But now there are regulatory, technical specifications for PSD two that apply to all member states. And probably the most interesting for our discussion today are the requirements for strong customer authentication, which is exactly what it sounds like too. You know, our typical information security definition of strong authentication is two or more of the something you have, something you are or something you know. And then also transactional risk analysis. This can be making sure that it's the same person who started the session or who started a session recently, if you don't want to encumber them with yet another strong authentication event, which sometimes can be a bit onerous if you're doing transactional risk analysis, you can sometimes obviate the need for that. And what's, what's good about this, you know, from the biometrics perspective is both of them can be facilitated with biometric authentication and registration. So we'll dive into that in a, in a bit more just in a minute. Here.
I mentioned fraud as well. There are two major types of fraud, you know, broadly speaking that that all kinds of organizations, not just finance, are trying to prevent today. And that's account takeover or a t o fraud and account opening fraud, A t o fraud, you know, attackers are trying to gain at least temporary access to some existing account. They can be used for value transfers, anything that can be converted into, into money. Of course, bank accounts, credit cards are highly targeted. But you know, frequent flyer, any kind of reward account, anything that can be converted into money is a potential target. So that means all industries are targeted, targeted, but you know, finance is definitely one of the most targeted in this regards. Account opening fraud, this is a little bit different. That's where the attackers try to create fake accounts, but based on real people's data, where do they get that data?
You may have noticed there have been many, many data breaches, you know, looking for all kinds of personal information. That personal information can be used to create a fake account if the financial institution or other account holder isn't particularly careful. So school records, employment records, healthcare records, all of these contain information that can be used to build fake accounts. Just think about, you know, what, what are you asked when you are trying to open an account? Those bits of information, those are the ones that the cyber criminals are after. Why do they do that? They want to commit major financial fraud, you know, do money laundering. They create mule accounts to move money back and forth, you know, from country to country organization to organization. So these, these two types of fraud are two of the most prevalent that we see across many, many industries.
So rather than just talking about problems, we should talk about mitigations to these problems. A t o mitigations we've been recommending for years. Things like multi-factor authentication, which aligns with, you know, PSD two's, strong customer authentication as well as risk-based authentication to make sure that, you know, it is the person who has registered for this account that's trying to transact something with this account. Then account opening mitigations, identity proofing, you know that at the time of registration. Making sure that that person, you know, matches, you know, some authoritative government issued id, they have the proper information to register. And then ongoing K Y C, you've gotta keep that information up to date and how often that has to be done can vary by jurisdiction.
And this is where mobile biometrics ties in because we can use mobile biometrics for both the A t o mitigations and AO mitigations, like multi-factor and risk-based authentication as well as identity proofing. So I've mentioned biometrics a few times, it's, it's time to sort of dive just a little bit deeper into that. It's really about leveraging something to something you are part for both registration and authentication. So there are multiple, what we call modalities, biometric modalities, how people interact with devices, how, you know, features about themselves that that can be unique or a pattern can be made unique that can later be identified. Again, you know, doing pattern matching. First up, we're all probably very familiar with fingerprint, fingerprint or thumbprint. You know, it's looking at the, the patterns on your finger and and matching them. It's pretty usable, but there are some type of populations with which it does not work well.
Facial recognition, you know, this has gotten quite a bit more popular. Most of the, you know, newer phones in the last few years have this as a built-in option. What that's doing is looking at different points on the face, you know, making a spatial geometry comparison. There are things however that can sort of make that difficult operationally, you know, it depends on what you look like at the time you took your initial facial recognition sample, you know, have you shaved since then? Are you wearing cosmetics masks, you know, throughout the pandemic, you know, masks wearing a mask obviously will make it so it doesn't work well. Hat, glasses, all sorts of things could make it just a little bit more difficult. And so it's, it's, it's very good. Very useful. Particularly useful for registration time and matching. What's on identity documents? Voice, you know, we haven't seen as much of this probably assuming, you know, in recent months because AI has gotten fairly good at, you know, duplicating voices.
But there are a couple of major methods for voice recognition that's text independent where you know, your app could listen to you and decide yes, that's the right person or not when sometimes they constrain you to saying specific words. Again, we haven't seen nearly as much on the voice recognition side. Iris, you know, science fiction years ago told us we'd all be doing retina scans, but it turns out IRIS is a bit more usable and it has an advantage of being, you know, many, many more degrees of freedom. It's called different points within the iris that can be scanned that that truly can come up with a very unique profile of what an individual's iris looks like and what are the real benefits that of that is it doesn't change with aging.
Lastly, we have behavioral biometrics. This is, you know, how a user interacts with their devices. If it's a computer, you know, how how do you type, what's your dwell time? What are your keystrokes? Like? What's it, how do you use a mouse? It turns out that people have highly independent patterns of usage and those can be built into profiles with which, you know, ongoing real-time comparisons can be done. What's really interesting about that is that, you know, let's say you're using a mobile device, you can do how an individual swipes across the screen, the screen pressure, how they hold the phone. That's what gyroscopic analysis is. And even in the case where you may have multiple users of the same phone, individual behavioral biometric profiles can be built so that the device and software can determine which particular user is using it at a given time.
So one question that often comes up is, you know, how accurate is this? So there a couple of different concepts here that are, are useful to explain the false acceptance rate. This is how often an imposter might be able to get in false rejection rate, how often a legitimate user may be denied access. You know, I think that happens to all of us quite often, you know, if we're using things like fingerprint interface, you know, maybe you are, you know, you do have glasses on or you're wearing a mask. So those things can, can interfere with that. But you see at the bottom here we've got equal error rates. So what most biometric implementations aim for is, you know, that middle point where you know, you turn up the sensitivity enough to make sure that imposters would've a very, very hard time getting in, but you also don't want to preclude a legitimate user for being able to get in.
So biometrics sound ideal in many ways and you know, really they do increase usability most of the time. I certainly like being able to use that. It's way better than passwords. Passwords are as we all know, not only inconvenient but insecure and they're certainly much better than, you know, having to rely on things like security questions. The biometrics themselves can be attacked in a couple of different ways. There are enrollment time threats where, you know, maybe people collude to register a different person with, with a a given identity document. So you know, from the very the, the time the account is opened, there can be an attempt to sort of mismatch biometric samples and templates. You know, this could also mean like in the case of a phone maybe trying to steal the biometric template from the device. That's why there are on device features, you know, things like secure enclave global platforms, t e e and SE that that can help with protecting biometric templates that are stored on phones and other devices.
Then there's also the common security notion of confidentiality, integrity and availability. Biometrics aren't secret. I mean you can see my face, people leave fingerprints everywhere. You can't keep 'em confidential. But keeping the integrity of the biometric samples is key and that again is, you know, the templates that may be stored on a device, we generally recommend local storage and local comparison. It's much better if that's not going over the air or over the wire. And of course availability can affect overall usability as well. Lastly here in just a moment we'll talk about a presentation, attack detection. You'll see many biometric implementations to talk about liveness detection and that is you, you know, trying to make sure that an attacker isn't, you know, holding a picture up to a phone or you know, using a mold. There's all sorts of different ways that presentation of detects can can show up and that can be, you know, using photos or even three D printed molds. So you know, liveness detection might be looking for perspiration on the finger, asking someone to blink when they're doing facial recognition, things like that. It's very important to be able to help defeat the attackers that are using sophisticated methods like this.
So lastly here I've talked about biometrics in general, we all are kind of familiar with how biometric authentication works. Remote onboarding here, I just want to kind of highlight what we might call a happy path flow where you know you're using a mobile app to register for an account for the first time. So you apply for high assurance credential, you will probably be asked to go download a remote identity verification app. A couple of the key features are you gonna take a selfie picture, which will also perform that liveness detection. I was just mentioning. These apps can also scan maybe using O C R or N F C authoritative documents, whether that be a driver's license or a passport. And you know, assuming all of that is legitimate then a credential can be issued. This, you know, definitely speeds things up, you know, in the olden days or it still can happen today where you go to a bank and you show these documents and a person verifies you, but there are things, you know, that that can be costly and it can takes more time.
So, you know, remote onboarding definitely has advantages. Of course it has security risks as well. And you know what's really interesting, and we've probably said this before is, you know, this technology's been widely used, you know, throughout the pandemic for even enterprise or workforce use cases where a person, you know, got onboarded to a new employer using, you know, these kinds of technology for identity verification at the beginning. So this has become much more widespread. It's a, an interesting technology that I think will only continue to improve so that it's time to ask a couple of questions. And we're curious, you know, talking to the audience today, what are the main drivers that you see for remote identity verification? And we've got several choices here. Is it for that a M L compliance? Are you looking for usability improvements? Is it 24 by seven availability?
Because you know, banks aren't open all day every day. Is it about customer conversion and increasing your revenue? Because if a person doesn't have to go to a bank to register, then it certainly would be advantageous to be able to offer registration at any time. And then lastly, you might just be looking for something lower cost altogether. So we'll launch that poll. Okay, next question. So do you have or are you looking for remote onboarding solutions and the choices here are we already have a solution in place? None, but we're looking for one or we're not really looking into that at all at the moment. And we do appreciate your participation in this and we will look at the results of these polls right before we start the q and a session. So just as a reminder, feel free to enter some questions for us and
Thank you John. Thanks for the intro and welcome to the second part of the webinar. My name is Pascal Tavil and I've designed and built such a remote identity verification solution and I will talk about the technology and I will also talk about some of the the key success. So when we talk about remote identity verification options, there are basically two ways to get this done and, and I would say in summary there is an expensive inconvenient version, which is doing a video call and then there is a convenient 7 24 hours cost-effective solution. And that is offer self-service identity proving or identity verification. When you look at the video call, there are some advantages for that. It does not require an N F C capable mobile phone. True, although around 98% of our mobile phones sold do have an N F C chip because it's used for payments.
And then it also works for all sorts of people. So even elderly people that having challenges using a smartphone, they can go through that process. The cons are it's inconvenient and from feedback we've received or I've received it is people, people don't like it and it takes a lot of time. So it's usually, I mean an average video call is taking around nine to 10 minutes. It depends on the identity document and if people understand what they need to do to scan the identity document or verify the identity document, it also requires a quiet private place. You can't just do that in in, in a, in a noisy loud place. It doesn't work. And usually from what I've seen, most banks, they do not offer 7 24 because it's very expensive to operate such a service desk 7 24. If you look at the self-service, the pros are prospects and clients, they prefer self-service, it's available from anywhere at any time, low cost compared to a video call and it has higher conversion rate.
And that's from my experience. On the negative side, it requires a compatible mobile device and very important, it requires a very intuitive and also a very secure process because that is obviously also vulnerable for any sorts of online attacks. So today I'm, I'm, I'll talk about the self-service way to do it. So you'll see the typical steps in such a self-service identity verification process. It starts with the product selection, then with the scan of a passport, we will talk about the technology later on reading of the biometric chip, then the liveness detection and, and face comparison is what Sean already mentioned. Then the next step is the K Y C background check, then client, a product opening, and at the end, the electronic, the issuing of a digital signature that is required to digitally sign the contract and that would allow a client to have instant access to digital banking and credit card. And I will show you later on in a live demo how this is look how, how this look like. And then we going to the technology part.
So how does it work? Most of you actually seen the technology at the airport. It's the same technology as some of you have used at the e passport gate using an e passport with an integrated biometrics chip. And the way it works is you use your mobile phone and the integrated N F C chip, the same chip you use for payments with Apple Pay or Google Pay. And with that mobile phone you first read the machine readable zone, that machine readable zone are these, these two lines at the bottom of the first page in the passport that will give you the password or the passphrase to then read the data from the chip. All the data on the chip is digitally signed by the issuing country and that means it allows a offline validation. So you can check the digital signature and you can say a hundred percent sure this is a genuine document if you verify the digital signature.
The second step then is an automated identity verification. And what it, what it does in fact is the first step is we check if a user is a real person is not a fake. And that means we have to, or you have to ensure that it is not a video replay from a screen. It's not an AI generated deepfake, it's not a high resolution photo and it's not a mask. And for that you need, you need to have a robust lifeness detection solution that allows you to say, well, that's a real person, it's a genuine person. And the second step is you need to compare it to the holder of that identity document. And that happens via face comparison. So that's step number four. Once this is completed, you can say identity proving done tick off. I've summarized some of the key architecture principles for the mobile device.
My recommendation, you should go for a zero trust model for the use of mobile device. That means you should assume that the mobile device is compromised. That's, that's one of the key architecture principles, probably the most important one. And you should have several security controls to enforce that. That means you only use the mobile device to collect information, but you don't make any decision and you don't do validation on the mobile device. That's, that's what you're doing on the backend in a trusted environment. That means processing or storing of information must happen in a trusted backend. Also, validation of documents, comparing faces and liveness detection.
My recommendation here is backend services designed to scale and withstand any cybersecurity threats. The usual secure by design. It's also important that you support various consumer, consumer and business workflows that will come to that later on. So you should design it as a service that can be consumed by mul multiple journeys and it should be cloud native. So that means you can, you can deploy to any of the hyperscaler clouds. I want to talk about the, the enormous potential that the technology has to digitize your digital identity processes for your clients. So it starts with, with a self-service digital client onboarding that allows you to onboard a client in under five minutes.
And if you have an intuitive self-service capability, your conversion rate will increase. And that's from my experience. You can also use the same technology for re-identification. One of the use cases is qualified electronic signature. You need to re-identify the user every three years. Users that haven't done that, you can do that in your mobile banking app or in your mobile app and they can do that self-service. If you scan the passport, you do the identity, the lifeness detection, you can do that in under two minutes. Any personal data changes that like name changes or gender changes, anything, you can automate that process by using, by scanning the passport and by doing liveness detection. And these, I mean the mo most banks are still have manual processes in place, so you need to go to the branch to get this done. You can automate that with that technology account recovery using liveness detection and, and facial biometrics.
You can do the account recovery instead of users need to call the, the support or the help desk to get an an re an activation pin, for example. You can do that by doing face biometrics and an O T P to the mobile phone number. Very effective and it saves a lot of money for support calls and also waiting time. For example, if you send activation pins via post, you can also do it for high risk business transactions. That means if you need to have step up identification and identity verification for any, so what I'm going to show you is an example of U B S mobile banking.
That's the key for, that's digital banking. So what you see here is the, the process for Swiss based clients. There are two terms and conditions. One is just, I pause here for a second to explain it. So there's one for to open the account. That does include the consent of the user to process biometrics and to pro process his personal information from identity documents also that we gonna, that his data is stored. And the second one is around the qualified electronic signature. We, U B SS is using a separate provider for that Swisscom, and hence we have, there are different terms confirmed, it goes to the next step. That's part of the product selection depending on the age we are, there are different product offerings. So you select your, the credit card you want, and then you can see here we, we, there are some certain countries are supported.
You can see them here because not all passports can be offline validated because countries do not publish the certificates. So there are some restrictions going to the email address, mobile phone number verification, and then to the, the important part, biometric self-service or video call. Then some basic instructions on how you need to hold. And you see here, that's the first step. Scanning the first page of the passport. And then the second one with the signature, if this is completed, next step is the N F C chip scanning. For that you need to hold your mobile onto the, the biometric passport and you will then read the chip data. Once this is completed, it's around the personal details, address check, then some K Y C questions that all belongs to K Y C.
And now is the step with the liveness detection. That's where eye proof is coming into the game. Some instructions on how to do the selfie video. And then the liveness detection starts. As you can see, it only takes a few seconds. It's, it's around five seconds and it's very intuitive. And then the contract is generated instantly including opening a bank account and the issuing of a virtual credit card that can be used instantly in the wallet. The whole process, as you've seen here, it takes under five minutes from you select the product until you have a bank account open and the credit. So I will continue to talk about the conversion rate because that's key for the self-service. And what are the key factors? So from my experience, most, the most, the key three points here, first of all, user guidance. The user guidance should be visual and animated guidance is a must a specifically when, when it's about error handling.
And that's the next point. So if users do not know how to do it or if there's a timeout or if they do not scan it correctly, then you need to provide accurate context-based help. Otherwise users will fail again and they get frustrated and your app rating will go down the drain. Then around eligibility, you should evaluate the self-service eligibility support right at the start of the process. Users get frustrated when they found out very late in the process, they can actually not use self-service. So that means by selecting the country and telling them only these countries, for example, are supported, then they don't have to go through the whole process to find out that they, they have to still have to go through the video call. What I learned is kind of the hard way is that the majority of the prospects and users they drop out during the identity scanning phase.
And if you use the EPA pocket that the airport, you can probably imagine why that is. It's not an intuitive process. Some, most people probably do that the first time in their life and holding a mobile phone on, on a, on a passport to scan an N F C chip is not something people are familiar with. And that means, and that goes back to point number one, user guidance is absolute key. Users need crystal clear animated instructions, real time feedback, and my recommendation as as, as a summary focus on animated user guidance and accurate error handling. And the other lesson learned is conduct as many usability lab sessions as you can because once you live, you have only one chance to get it right. If people don't like the app or don't like the process, you'll, you'll have to deal with bad ratings and feedback. I used to use my mom, she's around 70, she has a smartphone. I used her as benchmark and I noticed that for the first few versions she never passed the N F C scanning. And that's probably a good benchmark. And that's, that's what I mean with usability lab session. Try as many different people as you can to go through that process and to give you feedback.
Then the identity document scanning and, and validation. Here's some, some hints around the evaluation criteria for a solution. So you should check on the support of the identity documents, biometric passports and national IDs. They also biometric national, national IDs in the European Union that are compatible. That's, it's, it's a standard and you can use both. And I can tell you that many citizens of European nations, they don't even have passports, they just use national ID cards, biometric ID cards. So it's important that both is supported. And then as I said before, regarding usability check with the vendor, what type of standard default user guidance they provide and what the capabilities are to customize the ui, the error handling options so that you can provide accurate help for the users that are struggling with the scanning. With the O C R scanning and the N F C scanning, you also should, should check scanning and O C R performance with some older and and entry level phones.
It's also something I've learned, especially entry level phones. The performance can be really poor. That means you need to hold the passport and, and the mobile phone still for several seconds and that leads to quite high dropouts so that you also need to test it on the poor light conditions. Some people try to scan it in, in, in dark places or with light from the top and that produces glare and, and that people keep on failing, scanning the first page of the passport. If you need to de decide about hosting either in your own cloud or on-prem versus software as a service, you need to focus on data privacy and data protection aspects. My recommendation is I would go for a software as a service solution because you don't wanna bind your engineering and, and operation resources. And the vendor is always, you know, the, the, the best, the best solution to host their own products.
Then the size of the S D K, you need to check with some of the vendors. They provide quite, quite big SDKs and that can become a problem if you're already using other SDKs in your mobile app, that might become a deployment problem. Develop a documentation code samples for customization. It's always helpful to see, to have a look at the developer documentation and ask your developers what they think about the quality and, and the samples that gives you an impression on the quality of the solution. And then very important support for artificial testing documents because it's, I'll come to that but later on. But it's, it's important to have that support that you can use some artificially generated to test documents. So in summary, focus on user guidance and error handling and ensure that the solution supports a zero trust model and that means the validation of the document happens in a trusted environment.
Lifeness detection, the most important aspect from my perspective is you need to decide for an approach some vendors offering an active or a passive approach, what does that mean? Active means the user needs to do something to do to during the liveness detection process. That means you either need to move your head up and down or left and right or you need to take your mobile phone and, and bring it closer to your face or, or move the mobile phone. From my experience with the usability lab sessions, most people are overwhelmed when it's active liveness detection. It's already difficult or challenging for some users to position your face in a frame. So that means I would definitely recommend to go for passive liveness detection where you just need to hold your mobile phone in front of your face. Then the AI model performance, you need to ensure that it works equally between different races, ethnicities, gender, and light conditions. And that means extensive testing. And I would also ask the vendor for statistics around that because you don't wanna have end up having reputational issues if the performance is not equal between race ethnicities, then the pet robustness and the liveness detection technology.
Yeah, there is, it's, it's important that it test that properly and you have a good understanding of how that, how that works and what kind of AI models the vendor is using. Again, with the hosting versus software as a service, you need to focus on security controls for data privacy and data protections specifically because you, the vendor is hosting biometric templates or biometric data of your clients. So that means you need to ensure that you have full control over that data and it's all EU G D P R or the complying to other data privacy laws and regulations, then reporting capabilities and fraud abuse detection. So that gives you an impression on what's going on and how many attacks that that you have. So it's, it's important to understand what the reporting capabilities are. And then most vendors they offer two different license aspects or license, license models, capacity versus transaction.
So that means you either license a certain capacity, let's say 1.5 lifeness detection transactions per second or you pay per transaction. The pay per transaction comes with a bit of risk in the sense of if you have many fraudulent attempts that might increase your transactional cost, that means you as a consumer or provide of, of the such a solution you have the risk of the license costs. And then last but not least, if you subject to qualified electronic signature certification, then it's helpful if, if that vendor can help you with that certification or is used to the process of certification by an auditor testing the solution. That's what I've mentioned before when we talked about the, the solution for document scanning and validation. The problem is there are over 150 countries that do issue biometric identity documents, although it's a, it's a global standard that is defined by Kao.
There is the problem that you have different design surfaces, various races and ethnicities and using genuine identity documents in the development and testing environment, that's not a good idea and it is also not scale. So you need to have custom artificial identity documents for testing purposes. That means you need to be able to generate these N F C compliant e passports, fake ones and you need to find a solution for that. And you need to have, you need to evaluate that right from the start. And, and that, that's my recommendation here. Add the identity document testing requirements to your must evaluate criteria once you're building the solution, you find out very late in the process that you don't have the right test materials, that becomes a showstopper then performance measure and improve. You can only improve what you know and that's, that's key when you design such a solution.
You need to define right from the start what you want to measure. And that means you start by defining the various steps in the process and so you can see how far users get or where users are struggling. That's extremely important that you have that for both, for the front end and the backend. That gives you an end-to-end view and you can then see where the dropouts are happening. And so from my experience, you can't have enough data. So when I designed the solution, I made the mistake that I did not collect enough information and then later on, once you see that users dropping and you do not have enough information, it's very, very difficult to improve that step of the identity proving process. So my recommendation, collect as much information as you can also use the behavior context information. For example, there are some mobile phones known for compatibility issues.
So the more information you have, the more you can analyze and improve the process. And that means plan for comprehensive statistics and reporting dashboards for the business right from the start. So the business can see what has an impact on conversion rate and where users are dropping. Also important to prevent fraud and abuse. Define monitoring and alerting rules for the KPIs and the statistics and like that you can detect anomalies, that's very important. So my recommendation here, add the reporting, monitoring, logging, add that as part of, of the solution as part of the R F P if you do an R F P. And with that I'm at the end of my presentation and I hand back to John.
Great, well thank you. That was really informative, you know, especially the discussion about, you know, how do you build and testimony systems, you've gotta have artificial identity documents, that's, that's probably something that not everyone thinks of, you know, and then looking at the different data points, you know, about where, where users might be getting hung up in these different processes. There are so many different things to consider, like what kind of phone or you know, what operating system version, you know. So that was, that was very informative. Thank you Pascal. So now let's take a quick look at our poll results. I think these are pretty interesting. The first question was what are the main drivers for remote identity verification? And you know, not unsurprisingly it was a m l compliance number one followed quickly by usability improvements. That's, that accounts for three quarters of the respondents right there. Any any thoughts on that? Pascal?
No, it actually cost is is, I mean in from my experience, it's definitely not the driver most, I mean from my perspective it's related to usability improvements and, and the demand of clients of having a 7 24 hours self-service onboarding solution. And a m l compliance is cer was certainly our, I mean I'm I'm talking about Switzerland. Switzerland just introduced this option of having remote identity, identity verification for qualified electronic signatures that allows you to sign all sorts of contracts including credit contracts. That is certainly a driver. Yes.
Great. Next one, please. So do you have or are you looking for remote onboarding? Well, not currently planned is the predominant response here, but about 42% either have one or are looking for one. So that's, that's good.
Okay,
Well thanks for showing those. Let me, let's take a look at our questions then, which we received quite a few questions. Hang on just a second screen back in place here. So the first question is, most of these points face and voice can be faked with AI nowadays. Is there a new policy to handle this problem? PSDs two sounds outdated with this new challenge? Well yeah, we're certainly learning about attacks that make the news at least where these, these kinds of things do happen. But I think, you know, liveness detection, what we had been talking about is designed to help prevent that. Same thing with the presentation, attack detection. Anything you'd like to add there, Pascal?
Yeah, I mean if it's about the attack vectors for biometrics, I can talk about facial biometrics and my recommendation is to use a third party. Do not trust the vendor promises when most of the vendors are have some sort of certification like I beta, but that doesn't, from, from my experience and from testing, that doesn't really mean they have a, they have good security controls or, or pet, pet controls in place presentation, attack detection controls in place. So I would always engage an independent third party vendor that is specialized in biometric penetration testing and verify the results that, or the, the promises that ADV Vento giving you in an R F P. So I've, I mean we've, I've done that for several products and I I've seen, I've, we've, I've seen a massive difference between what vendors promised and, and the effective, the, the control effectiveness.
Yeah. And I believe Final Alliance has security certifications that look at biometric like the F A R F R R E E R, those kinds of things too.
Yes. Yeah.
Let's see. Should biometrics make traditional passwords obsolete or should they be used together more frequently? Well, you know, my feeling about passwords is I'm, I'm kind of sick of them and you know, I do believe that, you know, some of the latest implementations of things like facial recognition, fingerprint recognition are better than most, let's say at least six digit pins. But, you know, the problem with passwords and passcodes is, you know, they can, they can be stolen, they can be leaked. I, I would prefer just to see them go away. I, I, you know, obviously there are other kinds of attacks that we've talked about here that that can happen against biometrics, but I think overall, when done right, usability certainly improves when you're more reliant on biometric authentication and password. What do you think Pascal?
Yeah, I share your opinion regarding passwords. I think everyone does, and I believe biometrics is the future and AI is the game changer here, really. I mean, traditionally there is kind of the fear that biometrics could be stolen, but biometrics in combination with artificial intelligence makes it a much more secure factor than a possession factor or a knowledge, a knowledge factor like passwords. So I believe in biometrics only for the future. That's my personal view, but I, I've seen the advantages for clients and, and I've seen the positive feedback from clients when going through such a process, especially for recovery, if you don't have to scan the passport, if you just have to do the liveness detection, people love it.
Well, yeah, and I don't know if anybody else has noticed, but it seems like, let's say on your phone when, you know, most of the time you can use face or fingerprint id, but occasionally it'll say you have to enter your passcode or your password in order to be able to use those features. Then of course that's always at the most inconvenient time. But then I think, okay, if you're gonna go down that route, then all you have to do is keep failing, you know, biometric authentication enough, and then you can always use a passcode anyway. So if you've stolen a phone, I guess that's what what they do to me, it seems like, you know, being more reliant on biometrics is more secure. And we're, we're running out of time here. Let's just kind of go through here. You highlighted usability and inclusion is a key evaluation criteria. Can you give more context around choosing, say, a liveness provider in this scenario?
Yeah, it's, it's probably what I, what I said before regarding active passive, you also have to ensure that the technology that a vendor provides does not allow video injection, for example. So I would say usability is key. How many that, that it's, it's in a convenient and intuitive process. And best thing is, as I said, ask your mom and, and see how that works. And then the second one is really the robustness, the robustness against attacks, against presentation attacks. And, and here I can only recommend to do, to test yourself and do not believe numbers.
Okay. Let's skip down through here real quick and take a few more. If mobile is assumed to be compromised, how to guarantee the data collected by the phone has not been tampered with to guarantee a positive check at the backend. You know, you mentioned SDKs, there are, you know, fraud reduction intel platform providers that provide SDKs that do you know many of the things that you're talking about here today, but also can check for things like evidence of malware, evidence of that the, the phone is, say in the wrong hands, they're also some of those credential protection methods I was talking about, about secure enclave or the t e e I think there are a number of different ways that ultimately you can fail safe and, and you would not be able to use the credential if it looked like the device itself is compromised. Any, any thoughts on that?
Yeah, I mean specifically around the document scanning, the data that comes from the chip is digitally signed, as I said in my presentation, it digitally signed by the issuing country. And that means you can validate the digital signature and that ensures that, that the data was not, not modified tempered in between. That's the beauty of this e passport, biometric passport solution. You can trust the data because you can verify the data and you can check whether it's genuine. And then as you said, I mean there are lots of other technologies to ensure that the device is not rooted or is, is, is, is not a virtual device. There are lots of these kind of technology that you can use as, as a first line of defense. And then the second one is, is confirming or validating the signatures.
Okay. We'll take one quick last one here. We're almost outta time, but several questions are related to ai, deep fakes. You mentioned PAD testing. If the threat landscape is evolving degenerative AI such as deep fakes, how do you trust a aliveness provider has those robust defenses?
You, you can't, you can't trust That's what I said before. No, you shouldn't, you shouldn't trust. I would always, so once you, when you do an R F P and if, if you have your short list, I can only recommend from my personal experience, go search a a third party provider that helps you testing someone that is specialized on that, it is able to generate deep fakes and video replays and masks professional three D masks. And that will guarantee at the end that the vendor does deliver what, what they promise.
Great. Well we're at the top of the hour. Thanks everyone for joining. Thanks Pascal, great presentation, great insights and this will be available soon. So I hope you join us for our next event and or webinar. Have a good day.
