Category: Identification and Authentication

Biometric authentication vs AI threats: Is mobile security ready?

Posted on by Leave a comment

Quality biometric solutions provide outstanding security with a seamless UX. This makes it appealing for use cases ranging from state-of-the-art access control for critical government infrastructure, to something as routine as unlocking your phone. However, this diversity of use cases brings its own challenges. The varying needs of different applications, coupled with the speed with which the technology has developed, has created a fragmented ecosystem with little standardisation.

Many emerging use cases rely on the biometric capabilities of consumer’s own commercially available off the shelf (COTS) device. Android platform recognized this and has laid the groundwork to enfranchise device manufacturers and biometric solution vendors to create the next generation of state-of-the-art authentication products. And it does so just in time. Artificial Intelligence has transformed the biometric security battleground, and it is vital that stakeholders understand both the threats they face, and the steps that must be taken to meet them head on.

The changing threat landscape.

Biometric authentication is based around using an individual’s unique identifiers such as their iris, fingerprint, or face to provide an additional data point to verify identity. When launched, it was praised for the infallibility and security it provided as biometric data was, quite literally, always ‘on hand’ for users, but it couldn’t be lost or stolen.

Except now it can. Easily.

Artificial Intelligence, or AI, has unlocked a host of efficiencies in our life, specifically in data management and customer experience. However, these same AI tools are also readily available to fraudsters who can use them to execute devastating attacks. For example, photos can be taken from a user’s social media and in a matter of moments be transformed into a deepfake video to be used in an injection attack that aims to spoof facial recognition technologies and gain access to private data.

Meanwhile, AI is also being used to work through extensive data caches to locate and exploit any vulnerability in a security system. This has caused a rapid expansion in both the scale and sophistication of cyberattacks. 

Stakeholders throughout the authentication ecosystem are working to adopt more robust practices. Biometrics has a key role to play in this, but only if it can be secured and trusted. The uniqueness of each individual’s biometrics, its greatest strength as an authenticator, can also be its most fundamental risk. If the data is compromised, a user cannot simply rewrite their fingerprints in the same way they change their password. It is therefore crucial the data is protected and secure. Similarly, if a biometric solution can be easily spoofed fraudsters can gain access to the user’s device, accounts and personal information. 

An updated approach.

To meet the challenges posed by this evolving threat landscape, Android defined its three classes of biometric strength for devices operating under its remit. Its Compatibility Definition Documents (CDD), the requirements that each Android device must comply with should it wish to participate in the Android ecosystem, outlines the requirements for biometric security as Class 3 (formerly known as Strong), Class 2 (formerly Weak), and Class 1 (formerly Convenience).

Devices require independent third-party testing to evaluate their Spoof Acceptance Rate (SAR) along with verification of False Acceptance Rate (FAR) and False Rejection Rate (FRR) as a part of their Biometrics Compliance Report (BCR). 

Android’s biometric requirement and the ISO/IEC 30107 standard also defines Presentation Attack Detection (PAD) testing to evaluate the liveness detection capability of the biometric solutions. This is a crucial step towards detecting and resisting spoofing attacks such as deepfakes and protecting the end users.

Independent testing and compliance will raise the baseline for the minimum performance and security of biometric solutions. It requires all biometric solution providers and Android device OEMs to carefully develop their offer to ensure it meets the minimum thresholds backed by impartial evidence. This means that authentication should work right first time for the verified user, while also prevent spoofing and hacks. Not only will this help mitigate the rising threat of spoofing and fraud, it also elevates the user experience, thereby increasing trust in the biometrics ecosystem and proliferating its growth into additional use cases.

Adding value with testing and 3rd party validation.

The process of 3rd party evaluation with industrial standards acts as a layer of trust between all players operating in ecosystem. It should not be thought of as a tick-box exercise, but rather a continuous process to ensure compliance with the latest standards and regulatory requirements. In doing so, device manufacturers and biometric solution providers can collectively raise the bar for biometric security.

The robust testing and compliance protocols ensure that all devices and components meet standardized requirements. This is made possible by trusted and recognized labs, like Fime, who can provide OEMs and solution providers with tools and expertise to continually optimize their products.

But testing doesn’t just safeguard the ecosystem; it elevates it. As an example, new innovative techniques like test the biases of demographic groups (blog) or environmental conditions. Using these techniques allow testers to discover any differential performances by using or simulating different demographic groups or environmental conditions. Biases detection can prevent security issue on real life deployment. This allows also solution providers to optimize the quality and inclusivity of their solutions to meet the needs of more markets and differentiate from the competition.

Building for the future.

We have reached a critical moment for the future of biometric authentication. The success of the technology is predicated on the continued growth in its adoption, but with AI giving fraudsters the tools they need to transform the threat landscape at a faster pace than ever before, it is essential that biometric solution providers stay one step ahead to retain and grow user trust. Stakeholders must therefore focus on one key question:

Can the user trust that they are not sacrificing security for convenience when using biometric authentication?

Product managers must make sure that the performance of their biometric offer balances these two seemingly contradictory demands, but if successful, there are a whole host of emerging use cases that could unlock new revenue streams for them. These include biometrics backed in store checkout, enhanced access control, augmented automotive experiences, and more.

Another significant trend on the horizon is the increasing use of biometrics in identity verification for eID and eKYC use cases. Digital identity is offering a faster, more secure way to verify identity in the online world. Biometrics can provide a simple, seamless to augment the enrollment and verification process for this, but much like in the payments ecosystem, its success depends on the implementation of state of the art solutions throughout the user journey.

Compliance and quality validation are no longer optional. They are essential to protecting end users, preserving brand integrity, enabling innovation, and safeguarding the future of biometric technology.

The Evolving Role of Digital Wallets and Consult Hyperion’s Expertise in Driving Innovation.

Posted on by Leave a comment

Digital wallets are transforming how we pay, interact, and secure our digital identities. As smartphones become indispensable, consumers worldwide are using digital wallets for transactions, peer-to-peer payments, and even managing digital identities like driver’s licenses and health credentials. However, behind the convenience of digital wallets lies a complex network of technology, security, and regulatory challenges.

At Consult Hyperion, we specialize in navigating these challenges, using our expertise at the intersection of identity, payments, and cybersecurity to help clients innovate securely and effectively in the digital wallet space.

Digital Wallets: Expanding Beyond Payments

While digital wallets initially gained traction as payment tools, they have evolved into multi-functional platforms that can store not only debit and credit cards but also digital identities, health passes, travel documents, loyalty cards, and more. Wallets are increasingly integral to the digital identity ecosystem, empowering people to prove who they are, access services seamlessly, and control their personal data with security and transparency.

One emerging trend is the integration of mobile driver’s licenses (mDLs) into digital wallets. As mDLs gain adoption, digital wallets can provide a secure, portable means of identity verification, allowing users to authenticate their identities for various purposes while retaining control over their personal information.

Regional Approaches: United States, Europe and Australia

The adoption of mDLs into digital wallets varies significantly across regions, influenced by differing regulatory environments, market demand, and technological infrastructure. Here’s how digital wallet innovation and mDL adoption is evolving across North America, Europe, and Australia.

United States

The U.S. has been at the forefront of mDL adoption with several state DMVs already rolling out mDLs and several others with programs underway. These digital credentials are starting to be accepted for in-person use cases such as domestic air travel and liquor purchases. And going forwards, they will also be accepted online. Like physical driver’s licences, mDLs will have a lot of utility.

Many states are choosing to work with the large platform wallets, like Apple Wallet and Google Wallet, issuing mDL credentials into the wallets consumers already have. Those wallets are increasingly becoming “digital hubs” where users can store a variety of credentials. But this is not the only solution. Some states have also launched mDL specific apps. These provide consumers with the option of a standalone mobile driver’s licence.

In the middle of all this progress is the American Association of Motor Vehicle Administrators (AAMVA) which is playing an important role coordinating stakeholders and promoting standardized and interoperable approaches.

Europe

Some European countries have local proprietary mobile driving licences…

In the EU, the eIDAS 2.0 regulation requires each country in the EU to provide at least one digital wallet to its citizens, residents and businesses. Those wallets will be required to support for the ISO 18013 standard that underpins mDLs. In parallel, the EU plans to make driving licences mobile by default.

The situation is however complex.

• The EU is developing a rich but complex wallet architecture, of which support for mDL is just one part.
• Many wallets – which will require robust certification processes if interoperability is to be achieved
• Role of OEMs unclear – providing wallets or providing the secure technology to support wallets over the top

The EU wants all of this to come together over the next couple of years, which seems very ambitious.

So whilst wallets look set to play an important role in the EU digital economy, it will be some time before they provide the straightforward utility of US mDLs.

Australia

Australia has also been a leader in mobile drivers licences, several states issuing them.
Austroads, an intergovernmental organization, is driving the development and standardization of mDLs in Australia. They are working with state and territory governments to develop a consistent framework for mDLs, ensuring interoperability and security. This includes alignment with both ISO 18013 (mDL) and the more generic ISO 23220 (mDoc). This should allow the mDL apps issued in Australia to hold other digital credentials in the future. So instead of issuing mDLs into wallets, the mDL will become the wallet.
Austroads is going one step further by building a “Digital Trust Service” – providing the means to check the authenticity of the issuers of digital credentials held in those “mDL wallets”.

The Core Elements of Digital Wallet Success

Digital wallets that can hold both payment credentials and other digital credentials will have huge utility. They will increase convenience, reduce fraud and improve privacy.

Successfully implementing and scaling digital wallets requires expertise in several key areas:

  1. Security: Security is crucial when handling sensitive information such as cryptographic keys, payment details or digital identity credentials. Consult Hyperion has decades of experience of building and testing secure payments services with expertise in strong cryptography, mobile application security and tokenization.
  2. Identity: Digital wallets often serve as digital IDs. Users can store verifiable credentials, such as mDLs or health passes, giving them control over personal data. Integrating these digital identity solutions requires navigating regulatory frameworks and ensuring interoperability with existing systems. At Consult Hyperion, we leverage our deep knowledge of standards like Decentralized Identifiers (DIDs) and Verifiable Credentials to design privacy-protective and compliant solutions.
  3. Payments: Wallets gained popularity as payment solutions, and understanding payment intricacies is essential. This includes managing multiple payment types and adhering to regional regulations. Our expertise spans EMV, contactless, and real-time payment systems, enabling us to help clients integrate and scale secure wallet-based payments globally.

Why Consult Hyperion?

Our ability to bridge the gap between theory and real-world application makes us a trusted advisor for organizations building digital wallets. Our expertise encompasses:

  1. Strategic Partnerships and Innovation: Trusted by financial institutions, tech companies, and governments, we’ve helped design systems that meet stringent security, usability, and regulatory standards. We understand the strategic goals behind digital wallet projects, allowing us to guide clients in creating solutions aligned with long-term objectives.
  2. Deep Technical Knowledge: Our technical expertise across identity, payments, and cybersecurity enables us to develop robust solutions, from designing secure protocols to implementing advanced authentication methods.
  3. Proven Track Record: Our history of delivering projects in both private and public sectors demonstrates our ability to execute at scale. Clients rely on us for our technical capabilities, dedication to quality, and innovative approach.

The Future of Digital Wallets: Shaping the Next Generation

Digital wallets are evolving with advances in biometric security, decentralized identity, and blockchain technology. As wallets move beyond payments, businesses must adapt to new standards for security, privacy, and user experience. Apple, Google, and government-led solutions worldwide are positioning themselves as leaders in the wallet space, each bringing unique strengths to the ecosystem.
Consult Hyperion remains at the cutting edge, helping organizations navigate this dynamic landscape. Whether you’re looking to launch a new digital wallet, expand an existing platform, or secure sensitive data, we offer the expertise and insight needed to support your goals.

Final Thoughts

Digital wallets are becoming vital gateways to secure payments and digital identities across the world. At Consult Hyperion, we’re excited to help shape this future, enabling our clients to create secure, compliant, and user-centric solutions. With our expertise in identity, payments, and cybersecurity, we look forward to partnering with organizations worldwide that share our vision for a secure, interconnected digital world.

Slower Payments?

Posted on by 1 Comment

I’ve just received a cheery email from my credit card provider entitled, “We’re improving your fraud protection.” I assume it is from them: it arrived amongst a barrage of emails telling me not believe what I read in emails. When online scamming was in its infancy, you could spot the difference but, as fraudsters’ skills, use of AI and sophistication has developed, nobody really can any more.

It is important to remember that this is an equal opportunities form of fraud. You don’t have to be online. You don’t even need a mobile phone. If you have a UK bank account and a phone number, the scammers will delight in using their social engineering skills to extract your life’s savings.

In the communication I’ve received, beyond all the good news about the generosity of the bank, there is a brief mention of the Payment Systems Regulator (PSR) [1]. Apparently, they require all Authorised Push Payment (APP) transactions to be subject to a refund within 5 workings days if they are found to be fraudulent. This applies to payments over both Faster Payments and CHAPS. There are exceptions to this, for example where the customer is grossly negligent and not considered vulnerable [2].

There is also a ceiling set on the amount. This was initially announced as £415k but, due to strong resistance from the banks, is now set at £85k. The PSR state that this will cover 99% of APP claims. It happens to be the same amount as individuals can claim for lost savings under the Financial Services Compensation Scheme [3], should their bank become insolvent.

In the early days, Faster Payments was a rather unpredictable experience but, as it has scaled, many of the creases have been ironed out. Confirmation of Payee has helped to ensure that the payment reaches the intended beneficiary. It can take a couple of attempts to get it right. e.g. for dog walkers, they may appear as Wendy’s Walkies, under the name of the owner Wendy Walker and as a business account or a personal account. Still, if you have the correct sort code and account number, things tend to fall into place.

My bank has sent me a similar email, telling me to be wary around One Time Passwords (OTPs) and referring me to the Take Five To Stop Fraud [4] website. Again, it looks plausible and the advice is not unreasonable. It is, however, disappointing that there seems to be very little discussion of mutual authentication these days.

One aspect of the new regime is that all Payment Service Providers (PSPs) must be registered with Pay.UK. Both receiving PSPs and sending PSPs can be liable for any APP fraud. This is a significant departure from the existing regime, where the burden tends to fall on the sending PSP.

Losses due to APP scams are estimated at nearly £500m [5] annually. UK Finance [6] has identified factors which contribute to APP fraud, one of which is perceived urgency in dealing with a situation. While Faster Payments provides real convenience, the transactions are not reversible and so it has become a honey pot for thieves. Once money is transferred to a fraudulent account, it can be sent on to multiple accounts, sometimes with the assistance of money mules, either in the UK or overseas.

Frequently, by the time the fraud is investigated, the money is long gone. In response to this, PSPs are permitted to introduce a delay into the processing of payments. In principle, where a payment appears suspicious, they can put in place a pause of up to four days [7]. Clearly, this has serious implications for transactions such as conveyancing, where a housing chain requires everyone to complete on the same day. Even in simple situations, like paying a credit card bill, delays can result in the cardholder having to pay additional charges and interest.

While it is positive to see the challenges of APP fraud being addressed, it will be interesting to see how these significant changes to the payments landscape play out over the coming months. Activities such as intelligence sharing, risk-scoring and real-time screening [8] will remain central to tackling fraud.

It is interesting to note that in other countries where approaches to Open Banking are being explored, the focus tends to be on data sharing rather than payment initiation. For example, in the US, the Consumer Financial Protection Bureau [9] (CFPB) is working to open up data sharing, to promote innovation in financial services.

References

[1] https://www.psr.org.uk/news-and-updates/latest-news/news/psr-confirms-its-decision-on-app-scams-reimbursement/
[2] https://www.psr.org.uk/media/tbbdhkcx/sr1-consumer-standard-of-caution-exception-dec-2023.pdf
[3] https://www.fscs.org.uk/what-we-cover/banks-building-societies-credit-unions/
[4] https://www.takefive-stopfraud.org.uk/
[5] https://www.psr.org.uk/our-work/app-scams/#:~:text=Every%20year%20thousands%20of%20individuals,to%20APP%20scams%20in%202023.
[6] https://www.ukfinance.org.uk/news-and-insight/blog/how-understanding-human-behaviour-key-effective-prevention-app-fraud
[7] https://www.bbc.co.uk/news/articles/cn7yel28rx6o
[8] https://www.synectics-solutions.com/our-thinking/why-your-app-scam-strategy-must-not-be-swayed-by-the-reimbursement-limit-update
[9] https://www.consumerfinance.gov/about-us/newsroom/cfpb-launches-process-to-recognize-open-banking-standards/

Identity in the Metaverse

Posted on by 1 Comment
An aurora accents Earth's atmospheric glow underneath a starry sky

I had the privilege to chair a discussion about identity in the metaverse at the Identiverse conference in Denver in June 2022, and had great fun discussing the new landscape for identity with Heather Vescent, Jonathan Howle, Katryna Dow and Gopal Padinjaruveetil. In order to frame my thoughts and get the discussion about identity and privacy going, I needed a mental model.

Continue reading “Identity in the Metaverse”

What Exactly Is A Smart Wallet?

Posted on by Leave a comment
pexels-photo-887751.jpeg

A wallet is a way of organising things. My Apple Wallet, just like my real wallet, doesn’t have any cash in it. It has credit cards, debit cards, loyalty cards, vaccination records, boarding passes, train tickets and driving licences (Apple have just gone live with their driving licence and state in Arizona). These things are all held independently in the wallet: they don’t talk to each other and they don’t share data with each other. They are also, as you will have noticed, mostly about identity, not money.

Continue reading “What Exactly Is A Smart Wallet?”

Biometrics on Cards

Posted on by Leave a comment

Improving Cardholder Authentication

On-card fingerprint readers have been in development for a few years now, with a number of products now in market from vendors such as Fingerprint Cards, Zwipe, Idemia and G+D.

Continue reading “Biometrics on Cards”

Safer Internet Day 2022 – It’s all about you!

Posted on by 1 Comment
person in red pants sitting on couch using macbook

For Safer Internet Day, I thought I’d bring a Mediterranean theme. As a classicist, I frequently switch between ancient and modern, applying time-tested principles to emerging technologies. Plato had it right on data protection: the price of not participating in public life is to be ruled by less able men.

Continue reading “Safer Internet Day 2022 – It’s all about you!”

Can Current Technology Deliver Secure Mobile Voting Solutions?

Posted on by Leave a comment
red check mark over black box

Insecure technology is regularly cited as barrier to the use of online voting systems, in particular when casting your vote through your mobile phone, rather than putting your cross on a piece of paper and putting in a box at the polling station or mail box. At the same time those detractors trust the same mobile technology to place stock trades, initiate high value payments and more recently accessing their health records.

Continue reading “Can Current Technology Deliver Secure Mobile Voting Solutions?”

Be on the smart side of the Great Reset

Posted on by Leave a comment
planet earth

The human society is now at crossroads – demanding changes in our lifestyle, health choices, economics, and civil liberties. These changes are accelerated by climate change, political response to the pandemic, the need for racial and gender equality, human migration, and of course, a few break-through technologies such as digital automation, data analytics, and machine-learning (AI). So where are we heading? The call for “Great Reset” has been reverberating since the past few years and is now getting louder and louder. This was the topic of the virtual fireside chat by two visionaries on our Tomorrow’s Transactions webinar, Brett King and Dave Birch, discussing the societal and technological changes that are foreseen in the next few decades. This conversation was centered around Brett King’s (Richard Petty, co-author) book, “The Rise of Technosocialism and aligns with Consult Hyperion’s engagement with think tanks on global issues.  Our aim to is separate foresight and facts from fiction in trying to understand the trends in the market that our clients should watch-out for especially in payments, banking, transit, digital identity, and information security.

Continue reading “Be on the smart side of the Great Reset”

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.