Most websites use the combination of usernames and passwords. Both are items that a user knows. Asking “what street did I grow up on”, is just asking more things that a user knows, firms that do this are just implementing more KBA’s.
Economics of Authentication
To use some basic economics, the addition of the password as opposed to not requiring validation has a huge marginal benefit to the company. Implementing a second, and third and forth has an ever decreasing margin benefit.
The real question we should be asking is: how can we compliment knowledge-based authentication to maximise the marginal benefit.
Each firm has different needs. E-commerce firms have an incentive to only authenticate users at the point of sale, they want to maximise their conversions. Banks have more of an incentive to authenticate users before they can see a bank balance. Possibly a second time, if they are trying to move money. What I’ve just described is a risk-based authentication system.
Real Time Cost-Benefit
When firms can calculate the losses that they would incur due to a fraudulent actions, they can start to create a cost-benefit model around actions.
Behavior Based Authentication
By understanding how users behave on their website down to an individual level, companies can combine the financial impact of an action being a fraudulent one with an accurate probability that it is going to be fraudulent.
This is important.
Imagine the situation where a user logs into an e-commerce site with their username and password but their actions have changed; their page-flow is different, their mouse speed is drastically altered. Your Online Behavior Scoring model predicts a 70% chance of fraud. What would you do?
Would asking them to re-enter the password or re-apply the biometric signature help or would you dynamically enact a new layer of protection. How can you maximise the marginal benefit. How about accepting the order on screen but have a human give the credit card owner a call, before you process the payment?
We believe that authentication is the most secure when there are multiple layers, passwords, biometrics, one-time passwords and manual call-backs are all powerful tools. Understanding the cost and benefit of each individual action in real-time by understanding behavior is the ultimate way to maximise website security and usability, based on statistics.
Benefits of Risk-Based Authentication for eCommerce
With so many authentication options, it can become difficult to justify one choice over any others. By using intelligent interdiction, the act of only asking for additional authentication when suspicious behavior occurs, you can increase customer satisfaction at the same time as you expand security.
You can protect your customers across the environment to catch any anomalous behavior – not just at the checkout. The visibility gained from a multi-layered solution that can monitor your user throughout their session can, and should be used concurrently with RBA. With this combination, you can make more informed risk decisions, and only interdict when necessary.
By adding protection without creating friction, risk-based authentication leads to less abandoned carts and more satisfied customers, as your loyal valued users seamlessly enjoy your environment.
Want to learn more? Read our article, What is Risk Based Authentication?