Interview | Andrew Bud, CEO at iProov

What role is iProov playing in driving the digital transformation forward? Andrew Bud, CEO at iProov shares his thoughts on the impact digital indentity verification will have on customer experience, the attack vectors iProov have identified with biometric authentication and how this vulnerability can be minimised.

What value do you place on the existence of a digital identity initiative within Financial Services?

How do you see this changing the face of digital banking? Digital identity initiatives should be about enhancing the customer experience by improving convenience whilst not compromising the growing security requirements needed to protect financial institutions from serious organised crime. Greater convenience leads to higher completion rates and better net promoter scores. Many people struggle with complex or high friction authentication requirements demanded by many financial institutions. This challenge can result in a lack of inclusivity and barriers to access. Good digital identity initiatives can combat this by providing effortless access to services, so that more types of transactions can be completed conveniently, quickly and easily on a mobile phone or other personal device. We've already seen the pandemic catapult this industry forward by many years and the trend towards a reliance on digital identity is not going to slow down.

Instances of financial crime and fraud are increasing as everything is moving digital – how can you reassure FIs that this can still be done securely?

It is essential that financial institutions provide robust and secure, yet convenient, access to digital services. And not just to today's standards, but also to tomorrow's. It is widely acknowledged that the creation and control of accounts are key tools for laundering billions in criminally and fraudulently obtained funds, therefore access to legitimate financial institutions are absolute necessities for serious organised crime and state actors. Hence the resources they are willing to apply to breaking security measures are huge. It means that acknowledging fraud as a cost of service and accepting a box ticking ‘good enough’ approach is no longer sustainable. The huge challenge for the industry is how to deliver these rapidly increasing levels of security, within the context in which digital identity verification 'first time and each’ time must be really robust, whilst at the same time delivering the convenience and inclusivity that is the core promise of digital financial services. We believe that cloud-based biometrics are the key to unlocking access to this happy combination. That’s because they can be continuously monitored and updated to deal with the changing threat landscape, whilst giving adversaries the least visibility.

What impact will digital identity verification have on customer experience? Does this outweigh the potential risks in your view?

Due to complex and demanding authentication processes, the customer experience today is often horrible and it’s getting worse. Digital identity verification has the opportunity to improve the customer experience tremendously. Enabling customers to securely transfer to financial services organisations the attributes they need, effortlessly, will be wonderful for customers. But only if the authentication process, confirming the customer’s right to those attributes, is strong and usable. Of course, if you disregard security, you can create a great experience. An industry joke about the 'I am honest' button, one click and you're done, parodies this, but that's not the way forward. The solution is to mitigate the potential risks with strong and convenient methods to ensure that a remote user is a real person, is the right person and is present right there, right now. We don't talk about ‘frictionless’, we talk about usability because academic studies have shown that during high value or high risk transactions, user trust is increased by a visible and reassuring ceremony. It's important to take account of such nuances when designing a trusted digital identity verification customer experience.

As with every security measure, biometric authentication is still subject to attacks. What are some of the attack vectors you are identifying and how can vulnerability be minimised?

Biometric authentication can deliver great advantages to customers and to organisations, however the potential attacks on biometric authentication must be clearly understood in order to deliver the highest security. Modern biometric matching technology makes spotting imposters straightforward and is a simple threat to manage. Copies, both physical and digital, of the real person's face, are the key attack vectors that must be resisted. Your face is not like a password, it is not a secret, people don’t need to steal something that in most cases is already public. What makes your face so valuable as a way of authenticating a digital identity is that the genuine article is unique. The verification of genuineness is the critical step. There are always opportunists who will use masks, photographs or high-resolution images presented on screens to attempt to gain unauthorised access. However, we are seeing increasing numbers of far more sophisticated and determined attacks. These attacks are videos, using modern deepfake technology, or replays that are injected, bypassing the camera and are indistinguishable from the genuine articles by the human eye.

The traditional belief that a human checker was the gold standard is now obsolete. Only machines can detect modern deepfake and replay attacks. Technology like iProov's Genuine Presence Assurance, with which a one-time biometric provides proven and robust defences against determined attackers, is critical. As the value of the successful attack increases, so does the amount of resource that the attackers invest to accomplish it. We're not dealing with ‘hackers in hoodies’: it’s not enough to provide a strong but static technology solution. Any solution must be actively and continuously monitored to ceaselessly search for evidence of new and evolving attack modes and potential weaknesses so that the system can combat emerging threats. Only an evolving and actively managed system can be truly resilient.

The need to strike a balance between security and usability in identity systems, is frequently discussed. But what is it that really makes a solution usable?

Usability is the fundamental business requirement of any solution, because it drives both inclusion and completion rates. There are several aspects that must be taken into account. First, it means that any solution should be user-centric and no effort such as complex instructions or actions should be expected from the user. Then it’s not equitable to demand ownership of a particular technology or device, for example restricting access only to those who have purchased a particular or high-end device. In addition, the solution can not be discriminatory. Attributes like age, gender, technical or cognitive ability, social or ethnic background must not become barriers to inclusion, and the system must not be allowed to operate with consistent bias. Usability is both an ethical and a business imperative.