Virtualization Technology News and Information
Jumio 2020 Predictions: Traditional Authentication Methods Are Becoming Obsolete - Biometric Authentication to Take Center Stage in 2020

VMblog Predictions 2020 

Industry executives and experts share their predictions for 2020.  Read them in this 12th annual series exclusive.

By Robert Prigge, CEO of Jumio

Traditional Authentication Methods Are Becoming Obsolete - Biometric Authentication to Take Center Stage in 2020

In today's digital age, personal data is never safe.

Whether playing innocent games on your phone, ordering food from DoorDash or purchasing clothes online, cybercriminals are looking for every opportunity possible to acquire user data. Ongoing data breaches continue to expose usernames, passwords, payment information, health records and other personal information on the dark web, enabling fraudsters to log into user accounts and commit account takeover fraud.

Traditional authentication methods such as SMS-based 2FA and knowledge-based authentication make it impossible to truly know if a person logging in is in fact the actual account owner. In 2020 and beyond, we'll continue to see enterprises realize that these traditional authentication methods can no longer be trusted to protect online accounts, because passwords and security questions can be easily bypassed or guessed with readily-available information on the dark web or social engineering.

In the new year, enterprises across all industries will move toward biometric authentication to ensure a user's digital identity matches their real-world identity - keeping data secure and out of the hands of fraudsters. Below, I will explore five specific trends and predictions around identity verification. 

1. Deepfake technology will raise the bar even higher for online identity verification and security methods

With a reported 50% of consumers using the same credentials across multiple accounts, automated account takeover attacks will continue to run rampant in 2020. As organizations increasingly abandon outdated authentication methods that are easily susceptible to fraud, like SMS-based 2FA and knowledge-based authentication, and turn to more advanced, biometric-based authentication methods as a secure alternative, the rise of deepfake technology will become a larger concern.

A deepfake superimposes existing video footage or photographs of a face onto a source head and body using advanced neural network powered AI - and are relatively easy to create. In 2020, we will see an increase in deepfake technology being weaponized for online fraud as biometric-based authentication solutions become more widely adopted. Even more concerning is that many digital identity verification solutions are unable to detect and prevent deepfakes, bots and sophisticated spoofing attacks.

In order to stay ahead of the rapidly evolving fraud curve, companies will need to make sure they are implementing an advanced biometric authentication solution equipped with a certified liveness detection. As criminals use more sophisticated attack methods, having the ability to detect when photos, videos, bots or even realistic 3D masks are used instead of actual selfies to verify that the actual user is physically present during a transaction will be critical. It's becoming increasingly important to deploy certified 3D liveness detection methods. Uncertified methods rely on "tells," such as blinks, nods and other verification prompts, which can be spoofed by deepfakes. Instead, modern enterprises need to adopt certified liveness detection methods that have been vetted and approved as global biometric standards (e.g., ISO 30107

2.   Regulations must advance past addressing the authenticity of the online users to stop the growing fraud epidemic

U.S. organizations spent the better part of 2019 preparing for the implementation of the California Consumer Privacy Act, the strictest data privacy law in the U.S. In 2020 we will see the regulatory environment continue to shift to address aspects of the growing fraud and data breach epidemic. Specifically, taking aim at the authenticity of the internet and the ability to discern if someone is real and/or who they say they are when operating online in a variety of use cases, from shopping to tweeting and sharing videos. But these laws have significant shortcomings for protecting online digital identity.

Last year California implemented the BOT Disclosure Law, making it illegal for a bot to operate as a human, specifying it "unlawful for any person to use a bot to communicate or interact with another person in California online with the intent to mislead the other person with its artificial identity." In June 2019, Rep. Yvette Clark (D-NY) introduced the DEEPFAKES Accountability Act. If passed, it would require the creators of false videos to label them as such or face up to five years in prison.

While both the BOT Disclosure Law and DEEPFAKES Accountability Act acknowledge that bots and deepfakes pose serious threats to democracy and can be used for digital propaganda, they don't acknowledge or penalize the other underlying fraud concerns. For example, the biggest problem with the DEEPFAKES Accountability Act is that it doesn't address scenarios where the cybercriminal is creating deepfakes to perpetrate identity theft or bypass traditional biometric authentication. In these scenarios,  a cybercriminal isn't going to divulge that he is about to perpetrate a crime by being re-encoded for distribution on Instagram or YouTube (e.g., assuming the identity of a legitimate user) to the very organization they're looking to defraud.

While regulations are continuing to move in the right direction, they are still behind the pace of innovation and aren't properly capturing how these emerging technologies can be used for online fraud.

3. Cybercriminals will target highly regulated industries that have higher potential payouts

It has been widely reported that Social Security numbers are sold on the dark web for $1 and credit card information can be sold for up to $110. But Experian reports full medical records can command up to $1,000 because they're an identity thief's dream: date of birth, place of birth, credit card details, Social Security number, address and emails. Because of this, fraudsters will start targeting more lucrative industries like SMBs, healthcare, financial services, government agencies, higher education and energy. Many of these industries lack the IT resources and skills to adequately defend their organizations against sophisticated attacks and represent ripe targets in terms of the type of data that can be compromised and ultimately weaponized by cybercriminals to impersonate just about anyone.

  Biometric-based identity proofing and authentication will continue to be adopted in highly regulated industries
The global market for mobile biometrics is forecast to grow at an impressive 31.14% CAGR, adding $28.45 billion per year in incremental growth between 2018 and 2023, despite the CAGR decelerating by 22 percent in the period. The growth forecasts the latest set of market analyst reports that indicate widespread adoption of biometrics technology: 22% for mobile biometrics, 22% for 3D sensors and 19% for healthcare biometrics.

Facial authentication is impacting the physical security market, cloud-based subscription services are becoming more popular for security, and the Pentagon is expected to remain a source of opportunity for companies offering advanced authentication technologies. Although we are still in the early stages of biometric-based identity proofing and authentication, its development will serve as a viable solution for the growing fraud epidemic. Previous methods of identify verification, like pinging credit bureaus, knowledge-based authentication, and even SMS-based two-factor authentication are no longer viable, reliable or secure means of authentication (and don't provide a high level of identity assurance). Biometric authentication, on the other hand, is significantly more secure, reliable, and deliver much higher levels of assurance.

5.  Facial authentication goes mainstream 

There's been a healthy degree of confusion between facial recognition and facial authentication, but the underlying technologies are often very different and designed to address different use cases. For consumers and businesses alike, facial authentication is a win-win. Unlike facial recognition systems which are often performed without the user's consent, facial authentication is permission-based and provides high levels of security and assurance to a user while letting them seamlessly access their own accounts or devices. The elegance of facial authentication is that the user does not need to be subjected to the entire identity proofing process - they just need to take a new selfie when they log into their favorite app or perform a high-risk transaction (e.g., wire transfer or password reset). In 2020, we anticipate that facial authentication will continue to grow in popularity and continue to be used as a trusted technology for identity verification.


About the Author

Robert Prigge 

Robert Prigge is the CEO of Jumio and  is responsible for all aspects of Jumio's business and strategy. Specializing in security and enterprise business, he held C-level or senior management positions at Infrascale, Secure Computing, McAfee, Quest Software, Sterling Commerce and IBM.
Published Wednesday, January 22, 2020 7:25 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2020>