All eyes were on New Jersey last month when it provided guidelines (N.J.A.C. 13:69O-1.1) for internet and mobile gaming operators that explicitly called for Two-Factor, or Multi-Factor Authentication (2FA or MFA) for these platforms. Although 2FA/MFA solutions have been used by companies in many industries, New Jersey’s requirements are noteworthy because they spell out what is usually considered a best practice. Considering that New Jersey is a major iGaming market and that many states will likely follow suit, it’s critical for operators to choose an MFA solution that not only complies with the regulation but also prevents fraud and proxy betting.
Two-Factor or Multi-Factor (2FA or MFA) Authentication is an authentication framework that typically involves combining a user’s username/password combination with an additional authentication method. This strategy has been implemented (in some cases, as a requirement) across many industries as a result of the inherently weak password iterations chosen by users, leaving them vulnerable to account takeovers, data breaches, and financial loss. At a minimum, this is a recommended best practice. In some instances, such as in New Jersey, 2FA is a regulatory requirement for gaming operators.
N.J.A.C. 13:69O-1.1 defines “multi-factor authentication” as a type of strong authentication that uses two of the following to verify a patron’s identity:
Once a patron has successfully logged in using multi-factor authentication, subsequent logins to the same account on that same device can be exempt from multi-factor authentication for a period not to exceed two weeks.
Those of us in the “identity” or risk/fraud world quickly recognize this framework, colloquially described as “something you know,” “something you have,” and “something you are.”
The least secure of the options. The onus is placed squarely on the player to come up with a “strong enough” password. As password requirements have become allegedly more secure over time with letters, numbers, and symbols necessary, humans are challenged with remembering or storing increasingly complex credentials. As a result, most people reuse identical or very similar passwords across many ecosystems. In a world where data breaches are constantly exposing this information, the chain reaction effect of a breach has exponentially increased.
The other primary method of satisfying “something you know” is an obsolete method, “Knowledge-Based Authentication” (“KBA”). KBA consists of security questions that “only the patron” should know, such as “What street did you grow up on?” and “What was the name of your first pet?”. This requires introducing friction not only at sign-up to set this process up but at every downstream 2FA instance. Additionally, much of this information, and even the question/response combinations, can be found or purchased online.
This category offers several options, ranging from ID document scanning to phone authentication. As this requires “possession” of a unique identifier, this realm is not as susceptible to the types of account takeover and identity theft associated with “something you know.”
Document scanning is considered among the more friction-filled identity verification practices as it requires significant patron involvement. If their ID is not close at hand, there is a high probability of abandonment. Environmental factors also wreak havoc on document scanning, as elements beyond the control of the application such as lighting and glare may render the document image unusable. A final point is that not all doc-scanning vendors are created equal. It is important to understand the coverage and efficacy of the vendor but also ensure that the requires live in-app image capture and/or document liveness to counteract photos of photos (physical or digital) of ID documents.
Phone possession and authentication are widely considered the more streamlined and preferred options in this category. The ability to passively determine the phone number that is engaged with the mobile app allows operators an enticing blend of 2FA without adding any friction to the patron experience. Furthermore, mobile intelligence solutions can confirm the real-time risk level of the phone and phone number, as well as who that number belongs to, all in the background. With the vast majority of digital wagering/gaming occurring on mobile, this approach allows operators to avoid placing any friction and risking abandonment for their patrons while also identifying any account takeovers, unusual logins, or high-risk transactions.
Also known as biometrics, the “something you are” class comes in many forms, including facial recognition matching, and fingerprint or iris scans. Some of these tools, such as Apple’s Face ID, are convenient for patrons to use across many of their apps. Most biometric methods still require specific patron actions, some of which can be affected by visual or physical obscuration, such as gloves in the case of fingerprint scanning or partially covered faces when doing facial recognition matching. A NIST study also concluded that the majority of facial recognition vendors exhibited bias for people of certain races.
For the US Sports betting and iGaming ecosystem, there is another unique scenario to take into consideration: proxy betting. As the US market is currently fragmented between the states that allow online wagering and those that don’t, online operators are challenged to prevent players from illegally circumventing geolocation requirements. All it takes is for a player to share his or her login information with a friend in a legal state, who then logs in and places the bets as if they are the account owner. Not all 2FA approaches are capable of preventing proxy betting. With Prove authentication, proxy betting can be prevented without affecting the player experience.
Because of the highly-regulated nature of the iGaming and sports betting industry as well as the complexity of the use cases, phone-centric identity is the obvious MFA choice for operators. With Prove Auth as well as our market-leading solution Prove Pre-Fill, operators can achieve compliance and reduce fraud with stringent regulations while also providing a streamlined, frictionless, and best-in-class user experience for patrons. Already trusted by 8 out of the top 10 leading banks and leveraged in other fast-paced sectors like cryptocurrency, Prove has a long track record of decreasing onboarding times, boosting pass rates, and drastically reducing fraud.
Contact Prove today to find out how to meet regulatory 2FA requirements and address proxy betting, all without impacting the player experience.
Join over 1,000 businesses that rely on Prove across multiple industries, including banking, FinTech, healthcare, insurance, and e-commerce. Contact us today.
Trusted by 1,000+ leading companies to reduce fraud and improve consumer experiences. Contact us today to learn how you can frictionlessly secure your digital consumer journey — from onboarding to ongoing transactions.
Tap the button below to read our latest white-paper on the subject as industry leaders.
Contact us to learn how leading companies are using Prove Pre-Fill to modernize the account creation process by shaving off clicks and keystrokes that kill conversion.
Get in touch to find out how we can help you identify your customers at every stage of their journey and offer them seamless and secure experiences.
Let our expert team guide you through our identity verification and authentication solutions. Select a date and time that works for you.
Find out how we can help you deliver seamless and secure customer experiences that comply with PSD2/SCA. Select a date and time that works for you.
Download Aite-Novarica Group’s full report about Prove Pre-Fill, including a product overview, customer results, and how the product works.
Download the guide now to learn how you can improve security, cut down on fraud, and create the best possible customer experience.