Access control systems may use one or more authentication factors to verify an individual's identity. For example, authentication factors may include “something-you-know,” “something-you-have,” and “something-you-are.” Some access control systems may require elements from two or three of these categories to provide two- or three-factor authentication.
Biometrics may provide the “something-you-are” factor used for identification and authentication. Biometrics can be coupled with other categories of factors, such as “something-you-have” and “something-you-know,” to achieve two- and three-factor authentication when greater assurance is required than a single factor can provide. Biometric traits may include, for example, biological (e.g., fingerprint, iris, hand geometry, etc.) and behavioral (e.g., gait, gesture, keystroke dynamics, etc.) characteristics that reliably distinguish one person from another.
As transactions, interactions, and communications occur over various internet-centric services over personally-owned mobile devices, the actual identities of the parties involved may be unknown. While the internet adds convenience, the identity of the transacting parties is, at times, unknown or unverified. Even authentication systems with username and password login restrictions are susceptible to hacking, password compromise, man-in-the-middle attacks, phishing, or use by an entity that is not the intended authenticating person. Accordingly, protection of personally identifiable information (“PII”) needs to be efficient and effective, providing assurance of the identity of the party while not compromising any sensitive information or slowing down information exchange processes with heavy (e.g., processor-intensive) protection mechanisms. Some authentication systems may include the use of an electronic signature (“e-signature”). An e-signature refers to data in electronic form that is associated with a record and is used by a signatory or signing party to sign the record. An e-signature is intended to provide a secure and accurate identification method for the signatory to provide a seamless transaction to a relying party. Definitions of e-signatures vary depending on the applicable jurisdiction. For example, the United States is governed under the Electronic Signatures in Global and National Commerce Act (“ESIGN”) and the Government Paperwork Elimination Act (“GPEA”). Under the ESIGN an e-signature is defined as an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record. Additionally under United States federal law, the GPEA further defines the term “electronic signature” to mean a method of signing an electronic message that: (A) identifies and authenticates a particular person as the source of the electronic message; and (B) indicates such person's approval of the information contained in the electronic message. While greater mobility and access to information from anywhere are benefits of using personally-owned mobile devices, there is growing concern and need for data protection as organizations rely on public networks to exchange and access sensitive information, such as biometrics.