Lucas Podsiadlo, LoginID: “account compromise is the worst possible user experience”

Published: 6 February 2022
Last updated: 7 December 2023
LoginID

As many websites still rely on weak authentication methods, it creates additional security issues for users who are concerned with data protection.

These past few years, the use of cybernated payments and accounts has been record-breaking, with small improvements in digital security. Consequently, we witnessed an increasing number of identity theft caused by inefficient account authentication methods. And while it’s already common to secure your IP address to guarantee online anonymity and safety, it’s becoming a must to find additional ways to secure your credentials.

To enrich our knowledge about online security, we talked with Lucas Podsiadlo, a business developer of LoginID, a cybersecurity company specializing in biometrics security.

ADVERTISEMENT

Can you tell us how LoginID came about? What has the journey been like so far?

The Co-Founders recognized the persistent problem around authentication while interacting online. While standards like FIDO were emerging as the de facto way to authenticate, there wasn’t a simple API/SDK-centric approach for developers to integrate this standard. This led to the belief that if integration could be simplified, adoption would accelerate. Much in the same way, we have seen other companies such as Stripe take a very developer-friendly approach for services.

You take great pride in what you call Authenticated Payments. Can you tell us more about this technology?

Transaction fraud remains a problem. This can be due to account takeover, family/friendly fraud, or liar buyers. Weak account security using passwords and SMS OTP are the root of the problem. Authenticated Payments allow a consumer to easily confirm their transaction with strong authentication (swipe to confirm). Therefore, they can clearly see how much they are paying to whom. Under EU PSD2 requirements, this is called Dynamic Linking. This approach provides clear confirmation of the transaction by the account holder via a biometric digital signature, so family/friendly fraud is eliminated, and it is more difficult to lie about a transaction. Since there is no password to intercept, phishing and man-in-the-middle attacks are not possible. This acts as a real-time fraud prevention tool leading to much-improved account security.

How do you manage to ensure strong authentication without compromising the user experience?

Account compromise is the worst possible user experience. The consumer will blame the merchant even though they use the same password, like “letmein,” on all their accounts, and the merchants don’t like it either. Calling customer support to recover your password during checkout is also not a great experience. So, anything that mitigates account takeover and/or password recovery is a win, but frictionless customer experiences are still a must-have requirement.

Smooth integration of authentication into payments is an important part of successful deployments. Asking consumers to Confirm your transaction can be incorporated as a final verification at checkout. As strong authentication for payments is more broadly adopted, we believe that consumers will recognize and want this payment authentication to protect their accounts.

Consumer education and messaging around the enrollment of end-users and their devices is just as important as the experience. Prompts like Tired of passwords? or Would you like better security? can provide a starting point to educate consumers about the benefits and experience they get with strong authentication. Providing FAQs about why and how can ease consumers into strong authentication.

ADVERTISEMENT

Have you noticed any new cyber threats arise as a result of the pandemic?

In some ways, it is business as usual, but since there was a big shift to online purchases due to the pandemic, threats continue to grow with e-commerce. There is no easy way online to verify whether a credit card is being used by the cardholder since the card number, expiration, and CVV could have been phished or compromised due to a breach. Strong authentication linked to the card’s transaction history can be a very positive indicator for risk decisions to mitigate these problems.

Hackers have even sent fake government links to phish for personal information and solicit payments for COVID registration.

Since digital identity is becoming common, what tactics have emerged in an attempt to bypass various authentication methods?

Unfortunately, too many websites still rely on weak methods like SMS OTP or one-time code generators. A phishing site that tricks a user into entering their password can also easily trick the user into entering an OTP. While initially useful, it now seems that these OTP schemes enable fraud and only provide “security theater.” Determined attackers can easily perform real-time man-in-the-middle attacks against OTP systems. This results in an account takeover, not just a bad transaction.

Implementing digital authentication tools into one’s organization might seem like a daunting task. What first steps should companies take to make this process smooth and easy?

Firstly, review the flows where strong authentication should be applied. This includes both authenticator registration and authentication for any important account actions including transactions and accessing, or modifying personal account information.

Secondly, identify the likely early adopters of strong authentication. This includes people that need frequent password resets, recent account takeover victims, suspect family/friendly fraud victims, and high-value accounts. Consider a phased adoption across different customer segments and measure different approaches.

Thirdly, consider the messages that appeal to your consumers. Different groups will respond to different messages. Some are keen on better security, while convenience resonates with others. For existing users, provide a series of small prompts after each login to encourage adoption. Try to get new users signing up to enroll but give them the ability to opt-out with “remind me later.”

Besides strong authentication methods, what other security measures do you think companies should implement to protect their workload and customer data?

ADVERTISEMENT

These are some security basics:

  • Don’t collect or store any data you don’t need. It’s a liability in the long run.
  • Strong encryption for data in transit or at rest.
  • Don’t store biometric data in the cloud or on your servers. If it ever gets compromised, consumers can’t change their biometrics.
  • Stay up to date on all security patches.
  • Be aware of new fraud schemes because they are constantly evolving.
  • Train all your personnel to be security-aware on a regular basis. The HR and accounts payable departments are just as responsible for security as your IT team.

Do you think biometric authentication is going to surpass other authentication methods in the near future?

We think it already has on smartphones. The market is approaching roughly five billion devices with support for the FIDO standard.

New Macs have finger scan built-in, and an increasing number of new Windows PCs have built-in biometrics. As consumers recognize the security and convenience of biometrics, they will look for this feature, and we will see broader adoption through the replacement cycle.

Would you like to share what’s next for LoginID?

We have recently signed an agreement with Oasis to integrate our strong authentication and identity into their platform. This will help power an end-user new eSIM mobile device setup with both identity and authentication - meaning a mobile operator will have assurances with any end-user interactions that it is the customer in question. Eliminating attack vectors such as SIM swap attacks and also providing a way for an end-user to migrate their profile from an old device to a new device in a very secure and easy fashion. We have some additional large partner announcements pending that will be announced in Q1 and Q2.

LoginID will continue to innovate and break into new markets where FIDO2 passwordless authentication can help protect assets and identities like crypto exchanges, digital wallets, NFTs, play-to-earn gaming, DeFi, e-commerce, and traditional financial services. We have teamed up with AuthID to provide a comprehensive digital identity platform that can be used for digital onboarding, eKYC, biometric authentication, and payment authentication.

As the world has grown more digital, we have seen a steep rise in hacking and fraud incidents across industries. We aim to be at the forefront of preventing incidents like this from happening by pairing biometric security with a smooth customer experience.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Meta has quietly shipped the technology needed for facial recognition glasses
Hackers getting an easy ride: misconfigured cloud settings behind growing number of data breaches
Anthropic claims AI is too fast and needs to hit the brakes: let’s take it with a pinch of salt
US lawmakers push new bill on AI safety, state law limits, worker protections
Pewdiepie declares war on big tech following the release of his free and local AI workspace
California tech CEO busted for selling forbidden US technology to Iran’s nuclear agency
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked