CrossChannel FAQ

How do you enroll a new user?

The CrossChannel platform enrolls the user’s device, not the user himself
An enrollment creates a binding between the user’s mobile device and the CrossChannel service
A unique activation code (often a QR code) is sent to the user, which creates a complex cryptographic handshake between the application and the CrossChannel service. From that point onward, the user’s phone becomes a possession element.

After the user is enrolled, he inputs his user id
This triggers a push notification which causes the mobile device to retrieve the authentication context via a secure channel
The user crosses over to the device and authenticates with biometrics or PIN

* some security features are add-ons

If the device is stolen, the bad actor would need to
1. 1) unlock the device
2. 2) bypass the CrossChannel in-app biometric authentication method on the mobile app (you cannot cancel to revert to a username/password model)
If the device is lost, the user would need to re-enroll via remote ID verification. The process involves scanning a driver’s license for document verification, then taking a quick selfie video for liveness detection and to compare the document picture with the selfie
If the device is lost, the user would need to re-enroll. We are working on a recovery mechanism to restore a user’s account onto a new device

There are only two types of PII collected: Phone Device Identifer and GPS coordinates when an authentication or authorization is attempted (as a risk attribute if the Client opts to collect it)
Because the identity of the user is managed by the Client, we do not know basic personal information about the user, such as name, address, DOB, etc. Essentially, we do not know who the user is
Over 30 risk parameters are gathered based on the Client’s configuration. This allows the Client to collect risk data to establish their own risk policies

OTP (one time passcode) delivered via text message is a code that is valid for only one login session or transaction. This method of providing a second factor has been around for many years and is still commonly used in many industries
However, in mid 2016 NIST published a notice explaining that SMS OTP should be deprecated because there are multiple ways for a malicious actor to exploit the security flaws, such as man in the middle or SIM swapping attacks
The EU no longer allows SMS OTP for banking or payments, which was a primary driver for NIST to follow suit

The native biometric function is bound to a username/password, designed primarily for convenience. Thus, the biometric is acting as a proxy or shortcut for the username/password. A bad actor can always cancel the biometric prompt and revert to a username/password model
The CrossChannel platform is designed to increase convenience and security. The CrossChannel method cryptographically binds the biometric to the device ID, completely eliminating the username/password model.
The CrossChannel platform also offers a consistent experience across all service channels, whether online, in person, over the phone, on mobile, or on a kiosk. The native biometric function only works for mobile apps

A 2019 Pew Research study estimates 81% of Americans now own a smartphone, and the number continues to climb
The CrossChannel platform offers a PIN code option for those who do not, or choose not, to use biometrics on their device
For users without a smartphone, the Client will need to continue supporting users with existing techniques, such as usernames and passwords

The probability of hacking a biometric is far more difficult than a username/password. Studies calculate the probability as 1 in 1,000,000 for facial and 1 in 50,000 for touch.
The bottom line is a combination of a cryptographically-bound biometric, and a secured mobile device, becomes a very powerful authenticator that is both fast and secure.