Multi-Factor Authentication -The New Frontier Of Virtual Security: Here’s Why

Hardly a day goes by where there’s not a report of a data breach, or someone’s personal information getting stolen. Despite many of our best efforts, data breaches are still a very real, very BIG problem. In 2017, 2 billion files were leaked as a result of data breaches and those are just the ones that were reported!

As you’re reading this you can be sure that hackers worldwide are continuing to look for ways to compromise valid credentials in order to access company networks and steal data. Ask most IT experts and you’ll hear the term Two-factor authentication (2FA). Unfortunately, 2FA is no longer a viable solution. There's no way to accurately verify a person’s identity, or gate access control to a device or computer. 2FA has become so obsolete and outdated, that according to new article by Tech Crunch, the National Institute of Standards and Technology (NIST) has called for the end of SMS two-factor authentication because all the security holes in cellular/LTE data communications.

So, what now? We know that pins and passwords are obsolete and with 2FA off the table, what do security experts recommend?

Luckily there's an answer. Current regulations like those set forth by the PCI Data Security Standard (PCI DSS) requires multi-factor authentication (MFA) to be implemented to access computers and systems that process payment transactions. What is MFA you might ask? MFA is currently the highest level of authentication in the market today. It provides a higher degree of identity assurance of individuals attempting to access resources such as personal devices, internet accessed accounts, or corporate workstations. MFA is when you select two from the following categories: something you are with something you know, or something you have, to defeat unauthorized users from gaining access into a system or device.

Most industries and regulatory bodies worldwide are moving towards the use of MFA because it’s effective at authenticating and validating credentials. Switching to MFA is fairly simple. Since something you are is always a biometric, start here, but you need to look at the use case. If you are trying to get into a building use a physical biometric like fingerprints. If you are trying to gate access to a computer or Internet accounts choose a behavioral based biometric. With these biometrics you really only have three options, gait (how you walk), keystroke (looks at the typing rhythm) and signature/gesture biometrics.

Gait is not suited for remote access and typing is limited by too many false positives, its limits on speed to complete, and use confined to certain devices only. Signature /gesture biometrics is the market leader and BioSig-ID is the only one with several issued patents and worldwide use. It requires no additional hardware or software downloads. It also comes with a robust forensic reporting tool that catches un-approved access and fraud. With nearly 12M uses in 95 countries, it has been rated top 10 MFA solution provider in 2018. You can try out the software and make your own biometric password at


Turn on the news, read an online article, or pick up a paper and chances are you’ll see a story about another data breach and its impact on a company’s bottom line. What you won’t typically see, are the number of records that were stolen, the types of records being hacked and perhaps most importantly, the effect it has on a company/industry beyond just the monetary value.

Since 2013 more than 9B personal credentials have been compromised giving cyber criminals an abundance of personally identifiable information to sell and/or use to commit fraud. 2017 was a particularly tough year for many large companies with more data stolen in the first six months than throughout the whole of 2016.

As technology evolves so does the sophistication, as well as the number of attempted data breaches. Yet many companies are adhering to the same outdated security protocols and software that landed them in hot water in the first place. All due to one thing… cost.

In a recent survey, Ponemon identified the average cost of a breach as $3.62 million in its 2017 Cost of Data Breach study. Many companies can’t see the forest for the trees and wind up getting fixated on the impact to their profit margins, but what about the indirect costs that are rarely discussed such as:

  • Legal Action taken by those person(s) affected
  • Physical damage to a company’s database, server, etc.
  • Reputational damage
  • Customer / Client retention
  • Federal Regulations / Fines
  • Criminal charges

As long as new technologies continue to emerge cyberattacks will continue to occur. The difference is as a company, do you continue to operate business as usual, or do you begin looking into proven solutions that move beyond pins and passwords and outdated two-factor authentication techniques?

If you choose the later, call us. Biometric Signature ID has a proven authentication solution with more than 1M individual users and 11M unique uses in 95 countries. With an accuracy rate that’s 3x better than the NIST guidelines for biometrics, we’ve helped put an end to fraud and re-written the way you use biometrics.

Lately there’s been quite a lot of buzz surrounding “student authentication” and what Universities and Colleges need to do to remain compliant. From the landmark case between WGU and the OIG, to the countless billions lost in 2017 alone to academic cheating and financial aid fraud, it’s clear that the time for change is now!

Recently the largest education accrediting agency in the U.S. passed new requirements for student ID authentication. The new regulation(s) stands to change the way institutions are validating / verifying student enrollment and is gaining traction amongst other accreditation agencies.

Under the previous student authentication guidelines, “any institution that offered distance, or correspondence education was required to verify that the student who registers for a course was the same student participating throughout the course. Verification methods deemed acceptable included pins and passwords, as well as proctored examinations.

Taking effect Jan. 2018, the new rules are:

“10.6: Student Authentication Guidelines"

a) An institution that offers distance or correspondence education must: Ensure that the student who registers in a distance, or correspondence education course or program is the same student who participates in and completes the course or program and receives the credit.

(1) A secure login and pass code: 

  • Can be shared amongst individuals and fraudsters
  • Are easily compromised
  • Has no way of securely or accurately verifying the user

(2) Proctored examinations:

  • Can't verify same student is doing course work
  • Students are finding ways to hack the system
  • Designed to catch cheaters only 

(3) New or other technologies and practices that are effective
      in verifying student identification such as BioSig-ID:

  • Integrated with LMS/No per use charge so ideal for continuous authentications
  • Verifies students throughout the course anytime, anywhere
  • Provides next-level forensics and auditing tools that keep you off the naughty list
    and in compliance with regional accreditors and the feds

With the new guideline(s) in place, pins and passcodes and proctored examinations ae no longer viable options, because of their failure to verify a student’s identity.

What schools are left with, is the only PROVEN solution to accurately identify and verify a student’s identity anytime, anywhere throughout a course. The writing is on the wall…

Proper authentication and compliance begins and ends with BioSig-ID the world’s first biometric password that you draw.


Each semester, education loan fraud by criminals who pose as students grows tremendously. The victims?  Mostly low tuition schools offering online or distance learning programs. Fraudsters are easily able to pose as students because they are not required to make a physical presence. As long as a student can make it to census date, they are eligible to receive the thousands of dollars from Pell Grant monies remaining on their student account. Federal financial aid regulations must be able to document attendance in each class where students receive FSA. The Dept. of Education also mandated that schools institute new “academic attendance taking criteria” to determine attendance and last day of attendance.

Also, to consider are managing Official and Unofficial Withdrawals, Title IV calculations using (R2T4 forms), Last Date of Attendance and other requirements These all require the institution to have an accurate and accessible attendance data. It is easy to see why creating better policies for tracking attendance is beneficial. If FSA award has been disbursed and is owed back to the Dept. of Education, the institution must return the money and then try to collect these monies from the student. Good luck, fictitious and fraudulent students are long gone! 

It is a lucrative business with groups as large as 800 fictitious students being reported.  Fraud comes from three types of groups- Individual students, fraud or organized crime rings or unscrupulous bad actors within the institution. According to the U.S. Department of Education, improper Pell grant payments topped $2.2B in 2016. While FSA fraud is nothing new, it is rapidly growing. This growth has spurred the federal government to step in and put pressure on institutions to fix the problem.

So, who's on the hook? Well according to the feds, the schools. 

Colleges and Universities must make sure that all FSA money is disbursed to the students who are there for the right reasons... If not, then the school must pay back all the money. This creates a huge and unnecessary loss of revenue for the school. It can also lead to additional problems such as:

  • Lower institution retention rates
  • Possible changes in government funding models
  • Increased accountability for higher education institutions

Unfortunately, it's not going to get any better until schools are able to detect and sort the real students from the fraudsters. Luckily, this could all be solved easily with air-tight student authentication and the ability to monitor for the signals of fraud.

For years, the OIG and Dept. of Education have stated that schools must adhere to the following requirements associated with distance education Title IV funding:

  1. VERIFY a student’s identity throughout the ENTIRE course
  2. Determine student academic ATTENDANCE
  3. Maintain sufficient EVIDENCE of student attendance

With many institutions, up for accreditation renewal, now’s the time to implement a plan of attack!

The traditional fraud detection process needs to be overhauled. If schools are potentially losing 4% of Title IV funds to fraudulent students, think what that means to a school that disburses $50M - $100M.  That's big money schools stand to retain. 

If only administrators knew they could easily get this money back and return it to their budget. If only they had simply captured student ID authentication logins between course start up and census day.

It's possible.

Thanks to BioSig-ID. This gesture-based biometric software can monitor for fraud and send early warnings to administrators that will stop loan disbursement until they can determine whether the student is truly authentic.

  • Step one is authenticating every student as they enroll at the beginning of the course or during an introductory prep course if your school offers this. 
  • Step two is authenticating student ID multiple times before gradable assignments from course start to census day. (BioSig-ID complies with the new academic activity requirements)
  • Step three add any additional information from internal sources that provide information pointing to a fraudulent student. (ask us what these are, as they can be powerful indicators)

Step four do not disburse balance of FSA UNLESS the student successfully authenticates their identity with BioSig-ID. the password that students draw with their finger or mouse that can't be shared with others.  Optional if you combine our biometric password solution to an additional ID resource like a government ID check at FSA application or course registration (via webcam), you now have a system that is virtually impossible to defraud. Luckily BioProof-ID is such a product – by working with respected virtual proctoring company B Virtual, live agents verify the ID check then watch users complete the last phase of creating their BioSig-ID password. Once BioSig-ID is in use, distance learning institutions will be able to answer the long-posed question, “Who is taking my course online?”. It can track everything - student attendance patterns, login locations and attempts, history, activity, and time. We take the guess work out of the forensics and pinpoint the anomalies that could never be detected by an individual or even a dedicated team. Once the bad actors are found, schools can then put their regular procedures in place, issuing warning letters, or other actions they deem necessary.

This two-prong approach is win-win.  Especially when you factor in the ROI. How about recovering say, $400K, that you might have lost in disbursements to fake students.... would a cost-effective solution that recovers it and meets all federal regulations be worth it?

You do the math. Protect your job and get some help to stop the fraud! 

How BioSig-ID Forensic Tools Catch The 2 Types of Fraud

Fraud using the “virtual highway” is big business with data breaches costing $6.2B in 2016 and Financial Student Aid Fraud (FSAF) costing upwards of $3.8B annually. So you ask how can your institution get your money back?  If you’re an company or university, how can you stop the data breaches?    

Understand there’s at least two types of Internet or device based fraud:

  1. Those who steal your data for financial gain against others, leaving you with the liability costs (credit monitoring, fines, reputation loss, stock price decline, etc..)
  2. Those who enter your enterprise and steal directly from you (ransomware, reimbursement of monies you receive, etc…)  

Where does higher education fit in?

#2 above since students (real and fictitious) are actually stealing what may be 4% of all the FSA your institution dispenses. To bring this home say your school disburses $50M in FSA. The feds suggest 4% is “improperly paid”. Using this math it means $2M has to be paid back to the Dept. of Education and the school is left to try and collect these monies from the student. = Good luck.  

What about data breaches and protection for your company?

#1 above since bad actors seek the data you hold on all your clients/users. Data breaches are common place and costly, we read about them every day. External threats from various hacking and internal threats are the main reasons why breaches occur. We recommend multi-factor authentication using BioSig-ID gesture passwords since sharing, stealing or hacking will not be successful. It stops imposters from logging in. Most of the companies who are breached end up paying recovery costs at $158.00 per breached record and healthcare records cost them $394.00 each. This adds up to $millions of dollars! It even affects share prices. The disclosure last year by Yahoo of two massive user-data breaches (1.5B) in 2013 and 2014 led Verizon to lop $350 million from the purchase price for Yahoo’s internet businesses.  

Finding the origin of fraud is like trying to find a needle in a haystack and fraudsters know it. One of the many reasons that fraud is committed, is because it’s hard to catch the perpetrator. With fraud growing at an alarming rate, many bad actors are able to slip through the cracks.

What if there was some way of combing through all of the raw data, pinpointing fraudsters and recovering lost money?

Fortunately, there is!

In addition to providing award-winning biometric identification and authentication solutions with the world’s first biometric password, BioSig-ID (You draw your password versus type it in, NO hardware required) we can now analyze hundreds of thousands of activities of BioSig-ID usage. These reporting tools provide backend details on how the user is accessing assets, from device to geolocation, to time of day or number of password resets. We review historical pattern analysis and take all of the guess work out of finding fraud.

No matter the industry, BioSig-ID robust analytics reporting has been proven to:

  • Track and notify of potential fraud in REAL time
  • Create a significantly positive ROI when using our forensics
  • Recover lost money and prevent data breaches
  • Provide more transparency to network administrators
  • Catch even the smallest pattern deviation

Once in use, BioSig-ID forensics system knows exactly who users are. It can track many factors from login patterns and attempts, to activity and success rates. BioSig-ID finds the anomalies that could never be detected by an individual, or even a dedicated fraud prevention team and provides alerts in real-time. Once the bad actors are found, clients can handle it from there, taking whatever action they deem necessary.

The BioSig-ID forensics are derived by having your users create/draw their unique gesture biometric passwords when logging in to a device or virtual asset. After years of use in 95 countries and 10 million uses, BioSig-ID has significant data and power to filter out the bad actors.  Our state of the art analytics tool has become fine-tuned in pattern analysis used to find academic fraud, access to your device or account fraud and financial fraud. 

Life’s too short to be chasing fraudsters. Let BioSig-ID’s fraud buster forensic tool help you find the needle in the haystack so you don’t have to.

Recent Blogs