All eyes were on New Jersey last month when it provided guidelines (N.J.A.C. 13:69O-1.1) for internet and mobile gaming operators that explicitly called for Two-Factor, or Multi-Factor Authentication (2FA or MFA) for these platforms. Although 2FA/MFA solutions have been used by companies in many industries, New Jersey’s requirements are noteworthy because they spell out what is usually considered a best practice. That’s according to Tom Hill, Director of Digital Identity & Head of Sports Betting & iGaming at Prove.
Considering that New Jersey is a major iGaming market and that many states will likely follow suit, it’s critical for operators to choose an MFA solution that not only complies with the regulation but also prevents fraud and proxy betting.
What is 2FA or MFA?
Two-Factor or Multi-Factor (2FA or MFA) Authentication is an authentication framework that typically involves combining a user’s username/password combination with an additional authentication method. This strategy has been implemented (in some cases, as a requirement) across many industries as a result of the inherently weak password iterations chosen by users, leaving them vulnerable to account takeovers, data breaches, and financial loss. At a minimum, this is a recommended best practice. In some instances, such as in New Jersey, 2FA is a regulatory requirement for gaming operators.
How does New Jersey’s new regulation approach digital identity?
N.J.A.C. 13:69O-1.1 defines “multi-factor authentication” as a type of strong authentication that uses two of the following to verify a patron’s identity:
- Information known only to the patron, such as a password, pattern, or answers to challenge questions;
- An item possessed by a patron such as an electronic token, physical token or an identification card; or
- A patron’s biometric data, such as fingerprints, facial or voice recognition.
Once a patron has successfully logged in using multi-factor authentication, subsequent logins to the same account on that same device can be exempt from multi-factor authentication for a period not to exceed two weeks.
Those of us in the “identity” or risk/fraud world quickly recognize this framework, colloquially described as “something you know,” “something you have,” and “something you are.”
What are the considerations to evaluate when implementing one or more of these approach categories?
1. “Something you know”
The least secure of the options. The onus is placed squarely on the player to come up with a “strong enough” password. As password requirements have become allegedly more secure over time with letters, numbers, and symbols necessary, humans are challenged with remembering or storing increasingly complex credentials. As a result, most people reuse identical or very similar passwords across many ecosystems. In a world where data breaches are constantly exposing this information, the chain reaction effect of a breach has exponentially increased.
The other primary method of satisfying “something you know” is an obsolete method, “Knowledge-Based Authentication” (“KBA”). KBA consists of security questions that “only the patron” should know, such as “What street did you grow up on?” and “What was the name of your first pet?”. This requires introducing friction not only at sign-up to set this process up but at every downstream 2FA instance. Additionally, much of this information, and even the question/response combinations, can be found or purchased online.
2. “Something you have”
This category offers several options, ranging from ID document scanning to phone authentication. As this requires “possession” of a unique identifier, this realm is not as susceptible to the types of account takeover and identity theft associated with “something you know.”
Document scanning is considered among the more friction-filled identity verification practices as it requires significant patron involvement. If their ID is not close at hand, there is a high probability of abandonment. Environmental factors also wreak havoc on document scanning, as elements beyond the control of the application such as lighting and glare may render the document image unusable. A final point is that not all doc-scanning vendors are created equal. It is important to understand the coverage and efficacy of the vendor but also ensure that the requires live in-app image capture and/or document liveness to counteract photos of photos (physical or digital) of ID documents.
Phone possession and authentication are widely considered the more streamlined and preferred options in this category. The ability to passively determine the phone number that is engaged with the mobile app allows operators an enticing blend of 2FA without adding any friction to the patron experience. Furthermore, mobile intelligence solutions can confirm the real-time risk level of the phone and phone number, as well as who that number belongs to, all in the background. With the vast majority of digital wagering/gaming occurring on mobile, this approach allows operators to avoid placing any friction and risking abandonment for their patrons while also identifying any account takeovers, unusual logins, or high-risk transactions.
3. “Something you are”
Also known as biometrics, the “something you are” class comes in many forms, including facial recognition matching, and fingerprint or iris scans. Some of these tools, such as Apple’s Face ID, are convenient for patrons to use across many of their apps. Most biometric methods still require specific patron actions, some of which can be affected by visual or physical obscuration, such as gloves in the case of fingerprint scanning or partially covered faces when doing facial recognition matching. A NIST study also concluded that the majority of facial recognition vendors exhibited bias for people of certain races.
For the US Sports betting and iGaming ecosystem, there is another unique scenario to take into consideration: proxy betting. As the US market is currently fragmented between the states that allow online wagering and those that don’t, online operators are challenged to prevent players from illegally circumventing geolocation requirements. All it takes is for a player to share his or her login information with a friend in a legal state, who then logs in and places the bets as if they are the account owner. Not all 2FA approaches are capable of preventing proxy betting. With Prove authentication, proxy betting can be prevented without affecting the player experience.
Because of the highly-regulated nature of the iGaming and sports betting industry as well as the complexity of the use cases, phone-centric identity is the obvious MFA choice for operators. With Prove Auth as well as our market-leading solution Prove Pre-Fill, operators can achieve compliance and reduce fraud with stringent regulations while also providing a streamlined, frictionless, and best-in-class user experience for patrons. Already trusted by 8 out of the top 10 leading banks and leveraged in other fast-paced sectors like cryptocurrency, Prove has a long track record of decreasing onboarding times, boosting pass rates, and drastically reducing fraud.
Tom Hill is speaking at the upcoming SBC Summit North America as part of the Suppliers Panel: innovations, fraud, identity checks & AML on Wednesday 13 July at 5:00PM. Visit Prove at booth #507 to find out how to meet regulatory 2FA requirements and address proxy betting, all without impacting the player experience.