We have entered the era of multi-factor verification (MFV)
Identity systems are evolving down the same pathways that authentication followed. Welcome to the era of multi-factor verification (MFV).
In the tech world, change is sometimes evolutionary, sometimes revolutionary, and often fails. Over time, technology comes and goes, and sometimes technology improves. One of the areas that has seen a lot of change is authentication. Back in the 1990s, the password was about all there was in terms of access control. There were a few variants, like a one-time password generator, perhaps even early biometrics in some sophisticated systems, but generally, a password was as good as authentication got.
However, the security professionals’ adversary, the cybercriminal, forced a rethink on authentication as the cyber war of attrition waged. Over the years, authentication has fought back. Now, we have a much more robust approach encompassing many elements, like risk-based authentication, step-up authentication, passwordless, biometrics, and…multi-factor authentication (MFA). It’s not perfect by any means. The average person logging in will always take the path of least resistance. In the enterprise, you may have means to circumvent this, but in the consumer world, designers and developers must find best-fit models that balance the old usability vs. security conundrum.
The above preamble was a long-winded way of saying authentication has come a long way. Notably, the path taken by authentication to robustness is one that verification is now taking.
The long and winding road to multi-factor verification
I was inspired to write this article by a post I saw on LinkedIn by Glyn MacClean. Glyn’s post concerned dating apps, like Tinder. His post highlighted a Tinder profile marked as PHOTO VERIFIED.
Tinder verifies users by using a video selfie. They do offer optional document ID but anyone who knows anything about deep fakes will understand that this won’t stop a dedicated scammer. In the case mentioned by Glyn, the Tinder account was fake but was based on a photo of a beauty influencer. The scammer behind the user profile had easily bypassed Tinder’s security allowed a fraudster to use someone else’s identity to create a verified profile. Glyn’s point was that identity verification, certainly on dating apps, is fatally flawed. I use that term fatally advisedly. Dating apps, as Glyn points out, are based on “inherent trust that goes with relationship solicitation (and) has much higher risks than banking…” This is a vital point to make. Dating is about people and relationships. Something that cybercriminals excel at manipulating. Any quick Google search for stats on social engineering will throw up shocking data. I’m not even going to mention deep fakes and identity. Verification, as it is, is failing our people and our businesses. We must do better.
In the real world, social interactions use multiple variables to determine credibility and to verify the other(s) in the relationship. The evolutionary history of human interactions is a good place to start to understand what trust involves – and it is not a single-point solution like looking at someone’s face. Humans evolved to rely on trust to build cooperation in groups. Cooperative group interactions are essential for human life to thrive. These interactions are multi-faceted. On a small scale, they are usually based on kinship or familial relationships. However, on larger scales that involve strangers, humans had to devise social and moral frameworks to build trust.
We must do the same thing in the digital world.
This is where I discuss why “multi-factor verification,” or MFV for short, follows the same trajectory as authentication. This trajectory will provide a more robust way to verify people. In the real world, we often use subtle (sometimes not so subtle) clues of trustworthiness. In the digital world, we can do the same, maybe not quite as subtle, but all the same, we can apply multiple factors to verify someone, and we can step up or build risk into the decision-making. The reality of this in production is that the service must be versatile enough to pick and choose when, where, and what to use to verify someone. Of course, this is more challenging than just taking a selfie and checking it against an AI algorithm. But having a choice of factors and decisioning on when and how to apply them is essential if we want to add trust to transactions.
Multi-factor verification uses a type of identity orchestration designed to connect to various verification mechanisms. By connecting across a broad range of choices of how to verify someone, you can design identity ecosystems that work for people and reduce fraud risk. The key to all of this is the ability to make risk-based decisions. Suppose the platform is one, like Tinder, with high levels of fraud risk. In that case, the orchestration service may decide a verification event is just not good enough and will step up the verification by sending the individual to another verification check. This check may be to connect to a bank ID using open banking, a CRA check, or something else; your imagination is the only limit. In this way, verification is following in the footsteps of its cousin authentication. Adding trust to transactions is more than just a one-stop selfie shop. Trust is earned, and multiple factors may need to be considered before this trust is assured.