Authentication Is Done. What About Identification?by Fintechnews Middle East 17. December 2020
Airome Technologies, a Singapore-based developer of cybersecurity solutions for digital banking and e-document management systems, has been working with authentication and transaction confirmation technologies for a while, creating advanced products in this field. However, with the pandemic situation the company has faced a new challenge as to how to personalise a user’s device to enable them to authenticate in this new normal.
As Airome Technologies works with critical data, they need to use more than just passwords to authenticate a user. It is essential to provide strong cryptographic authentication with key distribution schemes. For an example, a standard case for such technologies could be visiting some authority personally; it could be the bank’s branch office, certification authority for public key infrastructure (PKI) purposes or customer service.
According to security tutorials, there are three mechanisms to work with your user: Identification where you meet your client, authentication, authorisation which is usually on the application level.
These mechanisms work from the top to the end of the list, where you cannot authorise your user without authenticating them, and you cannot authenticate a user without first identifying them.
The CTO of Airome Technologies, Pavel Melnichenko said that during the pandemic the company realised that their solutions only covered the second step as they work with applications, where they identify a user themselves. After the identification step, an application can be personalised according to a user’s device with an authentication factor, which is a private key in Airome’s case, and authenticate the user for the future.
During the pandemic, Airome’s banking customer’s needs became different as they needed to identify users with personalised devices.
This request was timely as Airome’s customers (banks, fintech startups, logistics and insurance providers) did not have the option to meet their users face to face to identify them. Thus, it is evident that this pandemic became a catalyst to move identification from offline to online.
Even though many solutions in the ASEAN market called themselves digital or electronic know your client (KYC), their solutions mostly covers the identification step only. Airome’s eKYC PayConfirm solution covers the authentication step. Advanced application holders and developers can combine eKYC and multi-factor authentication distribution in their applications, but this will lead to added workload for developers and, as a result, increased costs. The result will turn out to be a multi-vendor solution, which it is harder for either banks or fintechs to support.
“For us, conclusion was evident, we should try to combine eKYC and personalisation process for authentication purposes together. The resulting solution will cover two of the most sensitive and complicated steps in remote interaction with a user, identification and authentication.”
highlighted Pavel Melnichenko, CTO of Airome Technologies.
Moreover, the outcome of identification will be a user who is completely ready for online communications with the user’s record in an application and the device personalised to authenticate the user and their transactions.
Before we started, we formulated the essential requirements for a digital identification process (eKYC). Here is a list of them:
- eKYC must be performed with user’s mobile device only;
- The onboarding process must be as simple as possible;
- eKYC must verify if there is a live user in front of the mobile device (e.g. liveness detection);
- The application will request the user’s selfie;
- Users need to provide an identification document with their name, age and other required details;
- The identification document must contain a photo for comparison with a selfie to ensure that it is the user’s document;
- Recognition of the fields in the document;
- Verification that the document is not a fake;
- The document needs to be verified by external sources such as governmental databases, black-lists, police databases and more;
- After successful data collection, we have to provide an initial key set to the user’s device to start the personalisation process for authentication in future, and do this securely.
Remote identification actually includes a set of complicated technologies based on mobile development, video analysis (liveness), face recognition (compare liveness, selfie and ID documents), optical character recognition, image’s integrity checks, government integration and a set of security mechanisms to finish the personalisation. The most important thing is that it must be very easy for the end users.
“By looking ahead, I can tell that we have accomplished our vision with the PayConfirm platform. The onboarding process for any bank’s user will take about 20 seconds and seem very simple. As a result, the user will have completely fulfilled the record in target application and device to control their actions (authentication and transactions confirmation). Application holder can be sure that a user has passed all of the security checks, and the user’s data is correct. And most importantly, we can do all of this remotely.”