How do you enroll a new user?
- The CrossChannel platform enrolls the user’s device, not the user himself
- An enrollment creates a binding between the user’s mobile device and the CrossChannel service
- A unique activation code (often a QR code) is sent to the user, which creates a complex cryptographic handshake between the application and the CrossChannel service. From that point onward, the user’s phone becomes a possession element.
How does the authentication process work?
- After the user is enrolled, he inputs his user id
- This triggers a push notification which causes the mobile device to retrieve the authentication context via a secure channel
- The user crosses over to the device and authenticates with biometrics or PIN
How does the CrossChannel platform block malware?
- Short circuits attacks:
- Password theft and reuse
- Social engineering
- Device cloning / SIM swapping
- Malware attacks on mobile apps
- Code injection, debugging, app repackaging
- Friendly fraud (non-repudiation)
- b.The security features in the CrossChannel SDK include
- Cryptographic integrity
- Device authenticity
- App repacking check
- Code injection check
- Keylogger and screen reader check
- Overlay attack prevention
What if the user’s phone is stolen or lost?
- If the device is stolen, the bad actor would need to
- 1) unlock the device
- 2) bypass the CrossChannel in-app biometric authentication method on the mobile app (you cannot cancel to revert to a username/password model)
- If the device is lost, the user would need to re-enroll via remote ID verification. The process involves scanning a driver’s license for document verification, then taking a quick selfie video for liveness detection and to compare the document picture with the selfie
- If the device is lost, the user would need to re-enroll. We are working on a recovery mechanism to restore a user’s account onto a new device
What data does CrossChannel gather about the user?
- There are only two types of PII collected: Phone Device Identifer and GPS coordinates when an authentication or authorization is attempted (as a risk attribute if the Client opts to collect it)
- Because the identity of the user is managed by the Client, we do not know basic personal information about the user, such as name, address, DOB, etc. Essentially, we do not know who the user is
- Over 30 risk parameters are gathered based on the Client’s configuration. This allows the Client to collect risk data to establish their own risk policies
What’s the difference between the CrossChannel platform and SMS OTP?
- OTP (one time passcode) delivered via text message is a code that is valid for only one login session or transaction. This method of providing a second factor has been around for many years and is still commonly used in many industries
- However, in mid 2016 NIST published a notice explaining that SMS OTP should be deprecated because there are multiple ways for a malicious actor to exploit the security flaws, such as man in the middle or SIM swapping attacks
- The EU no longer allows SMS OTP for banking or payments, which was a primary driver for NIST to follow suit
What’s the difference between the CrossChannel platform and the native biometric function on the device?
- The native biometric function is bound to a username/password, designed primarily for convenience. Thus, the biometric is acting as a proxy or shortcut for the username/password. A bad actor can always cancel the biometric prompt and revert to a username/password model
- The CrossChannel platform is designed to increase convenience and security. The CrossChannel method cryptographically binds the biometric to the device ID, completely eliminating the username/password model.
- The CrossChannel platform also offers a consistent experience across all service channels, whether online, in person, over the phone, on mobile, or on a kiosk. The native biometric function only works for mobile apps
What if the user is on an older phone model without biometrics, or does not own a smartphone?
- A 2019 Pew Research study estimates 81% of Americans now own a smartphone, and the number continues to climb
- The CrossChannel platform offers a PIN code option for those who do not, or choose not, to use biometrics on their device
- For users without a smartphone, the Client will need to continue supporting users with existing techniques, such as usernames and passwords
Is biometrics accurate? Can it be spoofed or hacked?
- The probability of hacking a biometric is far more difficult than a username/password. Studies calculate the probability as 1 in 1,000,000 for facial and 1 in 50,000 for touch.
- The bottom line is a combination of a cryptographically-bound biometric, and a secured mobile device, becomes a very powerful authenticator that is both fast and secure.