3-way authentication: something you are, own and know
“Something you are, something you own, something you know.”
Those are the three requirements to prove you really are, who you say you are. Especially in the area of financial institutions, the Know Your Customer process (KYC) is on the of the most important parts of getting and contracting new customers. Onboarding new customers should be an effortless process, both for the end user and the bank (or insurance company) itself. But international law and global regulators have obligated those financial institutions (or: FIs) a set of necessary, mandated information that needs to be collected. Ideally, this is in the best interest for the FIs themselves, so they can protect themselves from accepting possible terrorists and other blacklisted customers, or deal with a case of identity theft or forging of any kind.
Lately, a ‘corporate race’ has been initiated, in which banks aim to offer the fastest — and fully digital — onboarding for customers, thus giving FIs a competitive edge over competitors who can’t keep up with the industry pace. So for this article, I thought it would be good to focus on one important aspect of KYC: what you need to ask your customer to prove the authenticity of a ‘real person’. How can people authenticate themselves? Another important reason to zoom on this, is in the light of my article from August 6, in which I wrote how HSBC was asking all the wrong questions trying to retrieve my banking password (which I forgot at that point).
So what does the law say? What type of information is needed to prove one’s identity? As it turns out, this answer is (at minimum*) three-fold. You have to authenticate yourself by proving:
- Something you are
- Something you own/have
- Something you know
Let’s look at all three in a bit more detail:
1. Something you are
This relates to you as an individual and your physical characteristics (or biometrics). Some of the biometric methods that can be used are: fingerprints, hand geometry, retinal or iris scans, handwriting, and voice analysis. Many of your favorite apps (and the access to your phone itself) most likely use a fingerprint scan to authenticate, already.
As you can see from the table above, the most reliable biometric authentication is an iris scan, followed by finger print, palm print/geometry and speech.
2. Something you own/have
Something you own or have refers to a physical object, such as a key, banking card or token. When you perform online banking, you probably have used a token (apart from the card itself). More recently, we have seen a lot of 2-factor authentication systems, whereby a unique SMS-code is generated and being sent to *your* phone (and your phone only). This proves you own that phone (number).
Google’s Authenticator (or Microsoft’s similar solution, ‘Authenticator’) are two examples of apps that issue a similar, uniquely generated code (although in-app, and not as SMS message).
Examples of 2-way authentication solutions (Authy, Google, Microsoft).
3. Something you know
The last one is the most common: something you know. This obviously refers to intellectual information, such as a password, answer to a secret question, or other information that only the user can (and may) know. Often, an authentication process starts with entering a password and is then ‘expanded’ with other forms of authentication.
These questions are part of a larger process
Don’t get me wrong, the KYC process is longer and more complex than solely these three authentication principles. The entire KYC experience entails other steps, just as proof of address, proof of work, and other elements. In this article we didn’t focus on those aspects (although much can be written about these aspects as well, more so with the rise of blockchain as useful technology to record, store and share previous successful KYC actions).
*: we focus here on 3-factor authentication, as a minimum requirement for a person to prove his/her identity. However, there are actually 5 factors of authentication, depending on how secure an organization wants to implement its access protocols.
This article was originally published on frankly.studio/blog
