Research firms have been talking about a stronger version of Multi-Factor Authentication, but what’s it all about?
Before you get too excited: there is no such thing as a silver bullet when it comes to increasing security or preventing fraud. However, we hear about a push for a new framework that claims to help online businesses gain some ground on fraudsters: high-assurance strong authentication, which is defined as a stronger version of the Multi-Factor Authentication (MFA) system.
The current landscape
MFA has traditionally been synonymous with traditional strong authentication, but the endless breaches are rendering the username and password useless – one of the multiple factors used in MFA. This means that practically all current applications of MFA are being undermined by allowing passwords in the game. What was known as strong authentication, no longer is.
Last month Javelin released a 2017 State of Authentication report where they explored this enhanced version of MFA – that merges MFA with strong cryptography – and its benefits for the e- and m-Commerce environment.
In this report, Javelin found that a staggering 45% of companies still utilize authentication practices for their customers that are considered weak. Looking at these numbers, it’s not surprising that hackers take advantage of those weak security techniques and perform account takeover attacks. In fact, high-risk traffic is more common than most companies think: on average, half of a company’s traffic comes from account takeover – based on analysis from NuData’s consortium.
Account takeover and other forms of fraud are fueled by the constant personal data fraudsters steal from companies in massive data breaches. And, unfortunately, breaches are becoming a fact of life. In the US, online businesses are forecasted to lose $844 million to fraud in 2017, and this number is set to keep escalating, based on Aite’s September report. What can companies can do about it?
In the report, Javelin recommends the implementation of high-assurance strong authentication to fight this growing plague of fraud. The report outlines a system that requires one of the multiple verification factors to be encrypted with public key infrastructure (PKI) through a protocol to avoid replay attacks.
As the Javelin report explains, PKI enhances security because instead of sharing secrets to certify the identity of a user, PKI can simply confirm that the owner owns the secret. This way, “[it] helps to mitigate the most common authentication vulnerability – the chance that a secret is intercepted or stolen and subsequently replayed.”
The weak spots
High-assurance strong authentication has two clear drawbacks. The first one is the operational cost that its implementation could require. The second one is the amount of friction that is placed between the customer and their online activity in a world that demands seamless and friction-free digital experiences.
Many companies see friction as not only unavoidable but also as beneficial in persuading customers that their site is secure. However, the numbers researched by BI Intelligence in their 2016 report paint a different picture of customer’s reaction to friction: in the US e-Commerce environment, for instance, 46.1% of users abandon the transaction at the checkout stage due to friction.
In addition to added friction, this type of authentication has some obvious security gaps: any data and physical biometric trait can be – and has been – replicated. Of course, physical biometrics are much harder for a hacker to fake, but the internet is always there to fill the gaps and make fraud more accessible to any determined fraudster.
We like to see efforts like this that are working to improve security frameworks, such as MFA. However, this one is slow to adoption and does not offer the ideal easy and seamless experience. The numbers speak for themselves: currently, a mere 5% of businesses have implemented high-assurance strong authentication.
Polishing the bullets we have
There is no such thing as the ultimate digital security solution, but in the meantime, the online trust and authentication problems can be addressed by integrating a behavioral analytics and passive biometrics layer into a company’s authentication system.
This layer allows companies to apply multi-factor authentication (friction) but only in situations of possible risk, safely fast-tracking those clients who are known trusted good users, and thus drastically reducing fraud and risk. The behavioral biometrics layer has near 100% accuracy in stopping account takeover and increases friction or step-up only when risk is presented.
All in all, in a world with no silver bullets, implementing behavioral biometrics is still the best way to hit your target.
Related to this post: The Search for Authentication – What’s Next?
Want to learn more about biometric authentication? Download our co-sponsored Aite Group report, Biometrics: The Time Has Come.
Want to read more posts like this? See our full blog here.