The next security layer for Two-Factor Authentication: Identity Verification

There are two known facts about the digital world. There is no privacy and there is nothing called 'secured'. As people are using or consuming digital payments as they use social media sites like a Facebook or a Twitter, this realization of no privacy and security is waking them up in the middle of the night.

Cyber security experts have no qualms in saying that even the so called safest 'two-factor authentication' (2FA) is no longer safe. In fact, 2FA is often mentioned as the best thing that has happened for pushing digital payments globally. The two stage authentication for digital payments - first by a password which only you know and then by getting an OTP (one time password) via mobile phone, which you own - looks to be much secure. Like rest of the world, the Reserve Bank of India (RBI) introduced 2FA almost a decade back. Experts are now pointing out the emerging weak link or the centre of attack by hackers, is the mobile handset and also the mobile operator. SIM cloning could happen via malware or app in the handset. Similarly, the SIM data can be compromised/cloned by hacking the data of the mobile operator. Recently, the US National Digital Authentication Guidelines (DAG) has issued a warning that the 2FA via SMS is not secure and should be prohibited. The debate has just started. But there are already security companies that are now focusing on 'identity verification', which can eliminate the chances of someone breaking the two factor authentication.

Identity verification is actually the next big challenge for digital payments. More so because India post-demonetization is estimating some 20 billion transactions in the next one year. In fact, many of the non-bank entities apart from banks are now part of the payment system. The new initiatives like United Payment Interface (UPI) rely more on mobile handsets than a card-based system.

Banks are already looking for solutions in identity verification companies. There are companies globally which integrate with banks and e-commerce players to verify a customer digitally by using social media and other tools. If a fraudster, for example, breaks into your two-factor authentication, he won't be able to carry out a transaction because the fraudster's digital identity will not match yours. Pascal Podvin, senior Vice President of ThreatMetrix, a digital identity company, says they have tools that differentiate between a trusted customer and a cyber threat in milliseconds. This US-based company has already partnered with payment technologies company R S Software for offering digital identity solutions in India.