In terms of UX, an instant signup/sign-in by looking at a camera looks smoother than SMSs with one-time passwords or verification emails. But either option can be a part of a multi-factor authentication procedure.
In this post, we’ll define multi-factor authentication and explain why face biometrics is essential and secure for the process.
What does “factor” mean in MFA?
There are two options in digital user authentication: single-factor authentication (SFA) and multi-factor authentication (MFA). In both scenarios, a factor is an opener for an account.
A password (one factor) to log in is the most popular SFA example related to online stores, educational platforms, and service companies. Businesses in Banking and Healthcare that handle sensitive data go for MFA, since they operate under stringent security regulations. For instance, accessing a bank app may include login credentials (the first factor) and an authentication code sent by SMS (the second factor).
You can put all existing factors into three baskets:
Knowledge—Something the user knows: a password, maiden surname, secret word, etc.
Possession—Something the user has: a one-time password (OTP) sent to their device via SMS, an email with a verification code, etc.
Biometrics—Something the user is: voice, fingerprint, face, etc.
When implementing MFA into a security ecosystem, businesses can combine two or more factors. As a result, you may deal with two-factor or three-factor authentication.
Typically, knowledge-based factors are mixed with possession factors. However, many industries, including Transportation, Telecom, Government, and Healthcare, are switching to biometrics. As biometric technology is accessible, time-effective, and free from typo-related issues, it seems to be a good trade-off between UX and security.
What biometrics are used in MFA?
User characteristics involved in the identity verification flow include behavioral and morphological identifiers.
Behavioral traits describe an individual’s nature: their voice, signature, and keystroke dynamics. Since people behave differently in various conditions, these characteristics may change accordingly. For instance, your voice can become hoarse under stress or anxiety.
That’s why behavioral biometric systems are also called dynamic. They apply to cases that do not require high-level security checks: a voiceprint can be an authenticator during customer support calls or a key to control IoT home devices.
Morphological identifiers like the eye iris, fingerprints, and face are more stable and immutable. Your fingerprints and facial features won’t change when you are thrilled or disappointed. They are static, which makes them more reliable as authenticators. For example, face recognition is often one of the identity verification steps for bank customers and airline passengers. It is also one of the most commonly used biometric factors in MFA.
While iris identification is not yet the widest-spread authentication method, biometric face recognition is part of a daily routine for many users. They do it when unlocking their smartphones, boarding to travel, or accessing their funds.
Technically, the process takes just a couple of steps and is performed in seconds. The user takes a selfie or records their face in motion, like with turns or tilts, with a mobile or webcam. This shot is compared to a photo in their ID or database. Behind the scenes, face attributes and image quality are evaluated, including liveness. Once all the security boxes are checked, the user is identified as authentic and can access the services.
Reasons to make face biometrics part of your MFA strategy
The penetration of technology into everyday life is one of the reasons why businesses are adopting it. Regula’s global survey found that 56% of respondents trust biometric face recognition as an identity verification method, including Aviation (46%), Banking (57%), and Fintech (62%) companies.
And here are more pro arguments:
1. Detect impersonation fraud
Despite deepfakes being on the rise, adding the facial recognition component to identity verification is one of the most advanced ways to prevent unauthorized access to your system.
Once a customer is verified as genuine on your platform, a unique digital profile of their face is created in your database. Usually, it is not a regular image or photo, but a depersonalized biometric template describing unique facial features. Next time, the software may match new selfies with this template to quickly authenticate the registered user without storing these photos.
Using face biometrics in MFA helps you prevent account takeover fraud. Scammers can steal knowledge-based authenticators like passwords or secret words. They also can gain access to OTP, PINs, or verification links with social engineering techniques. However, unlike the voice, which scammers can skillfully forge, fake photos (and even deepfakes) generally fail a thorough liveness test.
The liveness check is an integral part of a robust face recognition solution like Regula Face SDK. It employs AI and machine learning to determine whether a presenter is a real person, not a spoof or fake. During the test, the software considers dozens of parameters to reveal the presence of photo printing, video replays, silicone masks, 3D printed heads, and other fraudulent tricks to break into the system.
2. Authenticate customers more accurately
Face recognition algorithms have near-perfect accuracy—in ideal conditions, such systems can achieve a 99.97% accuracy score in face matching when a user’s photo is compared to their reference image. In the field, however, this rate is lower. A user's selfie may be inconsistent in lighting and positioning. An obscured shot with blurry facial features makes verification difficult. That being said, algorithms can still empower you to improve the accuracy of the checks compared to a manual flow, but you need to be picky about the solution you want to use.
Your solution should perform image quality assessment and, if necessary, correct defects in the original shot during the face recognition part of MFA. Otherwise, the system will require the user to retake the photo over and over again, but nobody will be happy with taking more selfies.
For example, Regula Face SDK guides you through the selfie and liveness process. It also compares the newest selfie against the biometric template stored in the database, or matches a user’s shot with their ID photo when it's the first contact. Morphological attributes—new hairstyle, mustache, or glasses—don’t impact the accuracy check since the solution algorithms consider such changes during face matching. The software also evaluates original image quality based on 45 parameters. This is critical at the enrollment stage when you need to get a high-res, clear photo sample to make a biometric template for later comparisons. You can customize any of these parameters or choose default settings for specific document types.
3. Improve user experience
You can boost customer loyalty by providing users with contactless and paperless authentication, especially at physical locations like airports, casinos, and sports and exhibition venues. People don’t want to spend their time in lines or touch pens, terminals, and other equipment in public spaces—a post-pandemic habit.
A face recognition system doesn’t require any contact with the person. Once a user’s ID document is verified and added to your system during registration, all you need is a camera, so it is possible to use a customer’s smartphone, web camera, or standalone kiosk as an authentication point.
For example, Delta Airlines and Los Angeles World Airports consider technology as a crucial part of the modernization of their facilities. They plan to introduce new terminals with a biometric face recognition module next year to enable passengers to check bags completely hands-free through the use of their digital identity.
The technology is also successfully used in remote customer onboarding scenarios. UBS, the world's largest private bank, added a biometric check involving face matching to their new user journey. Regula Face SDK compares the document portrait (both the visible one and the one in the RFID chip) with the selfie to ensure the person is who they claim to be. As a result, customers can access their freshly created bank accounts remotely in a couple of minutes.
4. Decrease customer support costs
Living in an age with tons of data to remember, people forget their credentials regularly. According to Gartner, 20 to 50% of all IT support calls are for password resets. Unfortunately, this is a recurring problem. A recent survey from LastPass revealed that 57% of users forget the password immediately after resetting it.
When you have thousands of users onboard, this may turn your high-skilled support team into a remember-my-forgotten-password squad. What’s worse, the few customers with more complex queries will have to wait in line while your team is busy resetting passwords.
Since the cost per ticket varies from $15-37 for different help desk channels, you can calculate how much expenses can be cut thanks to using biometrics in MFA.
5. Address the password hygiene issue
Users are careless when it comes to passwords. Qwerty, 123456, and similar barely secured options are at the top of the most popular password list year-to-year. Moreover, many people don’t change default passwords, and use the same password to accounts on different platforms.
Since phishing, scams, and poor password hygiene continue to pose a risk to users, more companies adopt technologies that bring us closer to a passwordless future. This concept implies single passkeys/openers backed by biometrics to sign in anywhere on the internet.
With Google at the forefront of the idea, businesses should expect more users to choose this authentication method of accessing platforms. It is better to start making changes now.
Why choose Regula when implementing face biometrics in MFA?
Regula’s biometric technology includes all the critical components to build a smooth and secure MFA flow:
Cross-platform availability enables you to deploy Regula’s facial recognition unit for digital onboarding or on-site checks. That means you can easily integrate the module at any entry point inside your system: a physical location, mobile device, or desktop station.
Automatic face capture helps users to take a good shot in one go. It enables them to obtain an original image in the correct lighting and from the right angle to create a precise biometric template.
The liveness test guarantees that only real individuals will access your service. It enhances the accuracy of your enrollment process and makes it more resistant to fraud.
Face matching allows you to compare a user's selfie to a portrait from their identity document, an RFID chip, and an external photo from your database. Be sure that it is the same person in different images.
The on-premise solution processes data directly on your server, no matter what device a customer uses to complete authentication. This adds another security layer to your system and helps prevent presentation attacks involving deepfakes and pre-recorded live sessions transmitted from third-party sources.
Request a demo to see more capabilities.