Multi-factor Authentication in Finance – Banking Transactions

Identity authentication is the process of verifying the legitimacy of a service user. The purpose of this verification is to prevent impersonators from using successful impersonation to gain unauthorized access to services that they are not allowed to use.

Building a set of representative user characteristics that correspond to the matching set of real users is a prerequisite for identity authentication. Users of digital transaction services engage in an interactive process that is facilitated by their representative characteristics rather than by the users themselves. Identity identification must therefore guarantee that no one else can replicate a person’s unique characteristics.

In single-factor identity authentication, a user’s identity is linked to a password that only the user knows. When using the service, the user provides an identity and password to the system. The identity and password are compared to the matching stored identity and password set by the system. If the information is accurate, the user is successfully authenticated and given access to the service based on the system’s authorization.

Since the password is the only factor, it is easy for another user to impersonate a user if the password is revealed. Additionally, the system itself needs an operating mechanism to ensure that when users store or send data over a network, their passwords remain secret. We utilize a new, user-specific factor in addition to the password to make the authentication process harder to falsify. This factor is completely different from the first factor to enable two-factor authentication. To be more secure, we use a third factor in addition to the first two to enable three-factor authentication. The authentication process that uses two or more factors is called multi-factor authentication. For multi-factor authentication to be effective, the user-specific factors chosen must be unique from one another and devoid of any similarities.

Multi-factor authentication often includes the following types of factors:

• First factor: Password, personal identification number (PIN). Obviously, you need to select a PIN or password that is difficult for other people to figure out.
• Second factor: Select an item, like a smart card, that is unique to the authorized user, is typically carried with them, and cannot be duplicated.
• Third factor: User’s biometric characteristics unique to the individual user. It might be a voice, face, iris, fingerprint, etc.
• Fourth factor: Accurate location of the user is determined without confusion. That is the IP address for computers.
• Fifth factor: Observe user behaviors such as: Touches and movements, like pattern passwords, for example.

Biometric authentication

Biometric authentication system is based on “who you are”. Compared to “what you know or have” authentication, it offers numerous advantages. Biometric solutions, for example, can eliminate the inconvenience of having to memorize lengthy passwords or losing tokens. Biometric authentication has become a commonly used and reliable method of access control.

The biometric authentication model includes two stages: Enrollment and Recognition as shown below:

The registration phase includes the following steps:

• Biometric data acquisition (Biometric sensor and Input Image)
• Feature extractor
• Reference template creation (Template)
• Database storage (Database)

 

In a biometric authentication system, the registration phase is the most important step. The results of the phase are reference samples, which play a vital role in the ultimate success of authentication. As a result, the accuracy of the biometric features used is determined by the quality of the reference sample.

The registration phase includes the following steps:

• Data Acquisition
• Feature Extraction (Signal Processing)
• Reference sample comparison (Comparison)
• Decision making

Depending on the nature of the identification system or verification system, the matching step with the reference sample varies (1:1 match for verification and 1:N match for identification).

Facial authentication is the most frequently used technology in real-world business applications currently among the various biometric authentication techniques for the following reasons:

• Low investment on terminals: Devices with cameras are only needed to take photos/videos of faces during the registration stage and transaction identification. All smartphones now have high-quality cameras, making facial biometric technology compatible with them.
• AI models used in facial biometric technology have increasingly improved and become more accurate.

 

However, biometric authentication can still be spoofed when a hacker successfully impersonates a user by falsifying biometric data obtained from the user. Hackers often use the following methods:

• During the registration phase, create fake samples using 3D printed samples, pre-staged pictures and films, or still photos.
• Hack the app to change biometric characteristics that are entered during the identification process.

 

Biometric authentication at Vietnamese financial and banking institutions

According to Decision 2345/QD-NHNN dated December 18, 2023 of the State Bank of Vietnam: from July 1, 2024, payment service providers and payment intermediaries on the Internet are required to use the following minimum authentication solutions:

Following a time of implementation, many shortcomings in Decision 630/QD-NHNN were discovered, exposing opportunities for hackers to take advantage of illegal money transfer transactions, including bank account hacking, scamming, and leasing/borrowing accounts. On October 12, 2023, the State Bank issued a document requesting feedback on the draft amendment to Decision 630/QD-NHNN dated March 31, 2017 in regards to solutions for safety and security in online payments and card payments.

To comply with the State Bank’s regulations as mentioned above, financial and banking institutions in Vietnam must build a centralized biometric authentication system that combines Chip ID cards and electronic identification (VNeID). By simply requiring customers to authenticate their ID Chip cards when making transactions, financial and banking institutions have added two additional factors in the multi-factor identity authentication process:

• First factor: Item (ID Chip card) that is unique to the authorized user, is typically carried with them, and cannot be duplicated.

 

• Second factor: User’s biometric characteristics unique to the individual user (fingerprint, face stored in the ID Chip card).

 

FPT IS has built the FPT eID solution, which integrates ID Chip cards into the multi-factor authentication process:

FPT eID solution helps Financial and Banking organizations have the ability to almost completely prevent identity authentication fraud:

• Prevent using fake ID cards
• Prevent taking/recording pre-staged videos from other devices
• Prevent app activation on simulated virtual machines (simulator)
• Have a mechanism to verify the source of images or videos before submitting them to the processing server
• Have advanced AI models that prevent deepfakes created by face-matching AI software
• Create a facial biometric blacklist of suspicious people who are questionable or have a history of dishonest activity
• Compare the collected customer facial biometrics each time the customer makes a transaction to minimize risks
• Compare customer facial biometric data with facial biometric data from the residential database via ID Chip card

 

Approximately 30 Vietnamese financial-banking organizations have successfully implemented the solution thus far, and by 2024, it is anticipated that this number will have increased to roughly 50.

Conclusion

Finance and banking companies must include biometric authentication into their multi-factor identification authentication process due to the rise in digital transactions in the industry and the associated significant security issues. Specifically, facial biometric authentication is the best approach due to its high security, ease of implementation, and most importantly, its seamless integration with residential databases via ID Chip cards and the upcoming electronic identity card (VNeID).

---

Exclusive article by FPT IS Technology Expert

Phan Thanh Toan - Director of Digital Authentication Solutions