Citing increased fraud affecting its education and testing procedures, the Nationwide Multistate Licensing System (NMLS) is implementing a new biometric password system for use by its instruction providers. NMLS, which handles state licensing of loan officers and mortgage brokers and lenders and provides information about licensees to consumers, says the fraud has primarily been limited to its online continuing education (CE) courses and usually involves the sharing of the course user ID and password for login access.
NMLS, in trying to find a solution to the problem, identified three alternatives; remote proctoring, knowledge-based authentication, and bio-metrics. It issued a request for proposals in 2016, identified three vendors and conducted a pilot study with each. The contract was ultimately awarded to BioSig-ID.
BioSig-ID says the types of log-in identification used in most situations, an ID and a password using various letter, number, and symbol combinations is easily compromised (or as is apparently happening with NMLS, shared.) It does, however, have the advantage of being easily changed once the compromise is discovered.
An alternative is identifying the user with biometrics, usually a fingerprint, facial identification, or an iris scan. These can be expensive to implement and are not necessarily foolproof. If they are hacked or compromised, they can't be replaced. As Bio-Sig puts it, you can't grow new a fingerprint, or a face, and hacked metrics can be used anywhere without the owner's permission.
The solution Bio-Sig is providing to NMLS is "multi-factor" identification. The end user still has a password, but rather than a complicated and forgettable code, it is a single self-selected set of letters which are drawn with a mouse, stylus, or finger. Every user has a distinctive way of moving the chosen instrument, and the software looks for identifiers such as the length, speed, direction, angle, and height of each stroke. At log-in the system can almost instantly, after the individual draws only three or four characters, match and verify the password being entered against the one in its records.
NMLS tested the software with 174 students who logged in a cumulative 858 times, an average of 4.59 authentications. It took an average of 2.5 minutes for each student to set up their password.
All vendors who provide CE education for NMLS will be required to have the authentication program in place by August 21. NMLS is absorbing the cost of the program.