As we all know, quarantine measures triggered a massive shift to remote work, almost overnight. In March 2020, in just two weeks, the percentage of US employees working remotely, doubled from 31% on 15 March, to 62% on 2 April. And it seems that this new way of working is here to stay, with 59% of employees planning to continue to work remotely as much as possible even after the pandemic has ended.
Employers are changing their ways, too. According to a Gartner survey of CFOs, 74% of companies intend to permanently move part of their workforce to remote positions. Large companies such as Twitter and Square have already announced plans to allow for a large number of their employees to work from home indefinitely.
This great migration of users beyond the corporate firewalls makes them an attractive target for account takeover attacks. Likewise, as Open Banking becomes ubiquitous, banks are facing the same issue with both their employees and their customers. The standard response to a potentially compromised account is an immediate lock-out. While this measure can stop an attack in progress, it is plagued by false-positive lock-outs of legitimate users. Of course, such a user can call tech support, verify their identity and unlock the account – there are only so many additional calls those false positives would cause. However, fraudsters increasingly widen their use of the latest AI technology, turning these lock-out calls from a minor expense into a security threat.
While phone scams are not new, using AI for voice spoofing is becoming more widespread. In 2019, a UK energy firm fell victim to an AI voice scam, resulting in the transfer of €220,000 to the attacker’s account. There is also now growing evidence to show that similar ‘deep fake’ spoofing is already possible in video conversations, which can only lead to more fraud.
So, with the move to less physical and more remote presence, the million dollar question is: how do you authenticate or reset a lost password for an account owner who cannot physically access a branch office or for whom such access is not feasible?
One-device multi-factor authentication
At Credorax, we have been eager to answer this question ourselves. To explore opportunities for secure authentication and remote re-establishment of trusted credentials, we joined forces with Verifyoo, a company specialising in next-generation password-less verification.
Multi-factor authentication typically combines at least two out of three authentication factors to verify user identity: possession (something you have), inherence (something you are), and knowledge (something you know). A typical dual-factor authentication solution would rely on a password (knowledge factor) and a one-time code sent to or generated by a smartphone (possession factor).
DrawID, a revolutionary authentication solution by Verifyoo, incorporates two factors in a single solution: ‘something you have’ (a smartphone device) and ‘something you are’ – the way the user writes on the device.
The authentication process involves a one-time code with letters and numbers sent to the user’s device. The user then needs to write the one-time code on the device with their finger. The solution identifies handwriting and captures other device parameters to perform seamless biometric authentication and complete verification of the user’s identity.
The solution is very user-friendly and combines the factors of ‘possession’ (the user-owned device which receives the code) and ‘inherence’ (biometric authentication of the user) into one seamless flow.
Here’s how it works on our test system:
High demand for secure authentication, driven by the shift to remote work and a wave of legislation, emphasises the inherent conflict between security and usability. Companies, especially financial institutions, face conflicting constraints while trying to secure their systems without alienating their users.
With these new demands, it is an excellent time to depart from the traditional multi-factor authentication paradigm and embrace next-generation solutions that combine several authentication factors into a single seamless user-identity verification experience.
At Credorax, we’re always looking for solutions like these to make the online experience better for our merchants and their customers. To learn more about our solutions, or to join forces on a collaboration project, contact us: firstname.lastname@example.org.