Biometric data, such as fingerprints and retinal scans, have been considered the highest form of identity authentication for about 15 years. Now we’re beginning to see video-based authentication grow in popularity, thanks to the ubiquitous smartphone and the love it has engendered for the art of the selfie. Video ID authentication hasn’t taken the world by storm yet, but it is catching on, and we can expect to see wider adoption in the next few years.
Video can be an elaborate process
Video identity systems can be as simple as asking a user to email a scanned photo ID and then initiating a video chat with a human who can compare their face to their ID. That, of course, is pretty primitive. More recent versions of video ID are increasingly elaborate. A user is asked to present both sides of the ID, bend it so that holograms can be seen, perform a whole series of actions to prove they are not a video recording, and then block portions of their face and ID to prove the user and the ID card are in the same space and neither is faked. A second authenticator then reviews the entire video to exclude any error on the part of the authenticator or collusion between the authenticator and the consumer. Finally, the entire video authentication process is archived for later reference.
While this process presents a fascinating new way for users to authenticate their identity in special circumstances like opening a bank account or obtaining a digital certificate, it isn’t practical for day-to-day transactions.
For repeated use, such as to access a bank account, automated facial recognition is necessary. Facial recognition software has gotten a bad reputation, thanks to its failure in high-profile cases like the Boston Marathon bombing. Critics, however, often overlook the real problem in using facial recognition in pursuit of criminal justice: the quality of the input device. CCTVs do not capture the level of detail necessary to definitively identify people unless they’re looking directly into the camera from a close position. That’s a problem for identifying random criminals, but it’s not a relevant problem for identity authentication; smartphones have sophisticated cameras and they’re held just two or three feet from a user’s face. As anyone who’s ever taken a selfie knows, the cameras in smartphones capture every flawed pore.
You can't solo security
COVID-19 game security report. Learn the latest attack trends in gaming. Access here
More simple video passwords already in use
Video identity authentication is already available to the general public. Windows 10 enables video passwords for users with the right type of cameras on their computers, and with Microsoft encouraging adoption of the technology, those cameras are likely to become standard in the near future.
In the United States, USAA has been the first major financial institution to roll out video identity authentication. Users download an app to their smartphones and simply present their faces to their cameras. Users blink to prove they’re real people and not photographs, and access is granted. The response from USAA customers was immediately positive — over a million users signed up within the first 10 months of launch, and the organization continues to offer this function today.
The next phase of video identity authentication may be the incorporation of more factors, such as facial expression and vocal quality. Users might be asked to say a phrase, and as their lips, cheeks, and eyebrows move in their unique ways, a computer is measuring those points. In addition, using people’s particular pronunciations and vocal timbres, voices can be compared to phrases they have previously recorded. The downside of voice recognition is the time it takes: The average phrase takes a few seconds to say, and then the system has to receive, recognize, and authorize the user. USAA executives estimate a lag of about 20 seconds in vocal recognition systems, and that feels like a long time to a user base accustomed to instant responses.
Video identity has gained more traction in the EU than in the US, with a company called IDNow gaining the first patent for video identity authentication. Further evidence of this traction can be found in the fact that BaFin, the German financial regulatory authority, recently issued a new set of regulations that came into effect in June of 2017. These define industry standards for this growing market. While IDNow may have the first patent, Italy-based Inventia and Germany-based WebID Solutions are also offering video identity solutions, although each has a different approach.
Organizations that cater to a consumer market and need to protect personally identifiable information have a high hurdle to cross when it comes to identity authentication. They need to balance the quality of their security with the ease of consumer usage — nobody wants a frustrated customer. For these types of companies, video identity authentication makes particular sense. Smartphones and their integrated cameras are in 95 percent of Americans’ hands, providing a convenient form of identity authentication that is available to almost everyone.
So why is video identity authentication necessary if a user already has access to biometric authentication using their phone? The dynamic nature of video offers a level of assurance that static biometric controls cannot match. A fingerprint can be stolen, and for the truly dedicated fraudster, stealing an eyeball is not beyond the realm of possibility. More realistically, biometric systems convert fingerprints, retinas, and irises into strings of code, which can be hacked in the way any computer code can be hacked. Video identity authentication systems store key measurements of an individual’s face (called anchor points) and require that the individual blink, smile, or perform other facial expressions to match the records contained in the system. While a fingerprint tells a system, “This fingerprint is allowed to enter,” a person’s moving face tells a system, “This is really Nigel, and Nigel’s allowed in.”
The difference may seem subtle on the surface, but it’s critical. Biometric data is commonly considered the gold standard in security today, but today’s gold standard is tomorrow’s tarnished mystery metal as hackers achieve new levels of sophistication. Video identity authentication is a relatively lightweight process for users that provides a high level of security for organizations trying to secure the most sensitive types of data.
Dan Puterbaugh is Senior Legal Advocate for Adobe Document Cloud. As an attorney for over 20 years, he has written and spoken extensively on issues related to electronic signatures and records. He is Chairman of the Electronic Signature and Records Association and a member of the California Bar Association. Prior to joining Adobe, he was assistant general counsel at Intuit.