Buyer Behavior and Strong Authentication

The Search for Strong Authentication – What’s Next?

In its search for advanced online security, the financial market has been very apparent that customer convenience must not be sacrificed. The industry is moving toward providing consumers with options in how they want to authenticate.

Known as a multimodal approach to authentication, physical biometrics such as fingerprints, iris scans and voiceprints adds another level of verification. In April 2017, Mastercard kicked off a trial of using fingerprint scans combined with chip technology. That same month, Samsung launched iris scans on its Galaxy 8, although garnering mixed reviews as the device was recently was fooled with a photograph.

The convenience of this multimodal approach to authentication doesn’t have to be discarded. Passive behavioral biometrics add another layer further raising the security level to provide higher accuracy identity verification, lower fraud, and create a better customer experience. Both consumers and financial institutions are happy – it’s safe, seamless, secure.

So how does this look in the real world? Traditionally, consumers log in to their favorite sites – perhaps financial services or eCommerce environments – entering their username and password. There would be some analytics behind the scene looking at the IP address of the customer, the time of day they are logging in and the device ID. If these criteria meet the website owner’s expectations, the transaction proceeds.

But these days, users are being hit with request after request for multi-factor authentication (MFA). It could be a one-time password, a PIN code, a text message, or a request for physical biometric verification, such as an iris scan or a selfie. What at first seemed like a cool way to fight fraud, became annoying and inconvenient to consumers as they faced what amounted to multi-factor challenge fatigue. MFA take into account the contextual appropriateness of some of these methods, such as taking a selfie or saying an authentication phrase into a device, which clearly is not appropriate in a meeting or culturally sensitive location.

This brings us back to the challenge of financial institutions looking for solutions that provide options to consumers while maintaining high levels of accuracy and remediation of risk.

Passive biometrics and passive consumer behavior analytics work behind the scenes to inspect the transaction, analyzing how consumers behave when interacting with their technology devices, and the website. How do they use the keyboard? Do they type quickly or slowly? Do they mouse or tab between form fields?

It allows the authenticating party to strongly verify that the user is who they say they are, without adding extra friction. Once the behavioral biometrics and the passive biometrics analysis and verification are completed, most customers sail right through, because they are strongly authenticated without any additional actions. 

Consumers who aren’t able to passively authenticate can self-remediate through the use of other physical biometrics verifications and mechanisms. Instead of putting every customer through this friction, they only subject those who truly look risky.

Our work is constantly evolving. Obviously, we have to be on the lookout for new ways of committing fraud, new types of malware and other emerging threats, but that’s why we’re in this business – to protect users from ever evolving threats.

A bigger trend to watch is the growth of the Internet of Things (IoT) and machine learning. Machine learning is at the core of passive behavioral evaluation, but IoT expands both the risks and opportunities. The devices consumers use daily provide additional points of plausibility for identify verification.

Let’s look at a sample user. They have a laptop, a smartphone, and a smart watch, all connected to Bluetooth and WIFI. This web of devices is potentially looking at the user’s heartbeat, body temperature, perhaps things such as gait. All of this additional data can be used to strongly authenticate the person and is an area of interest across the industry.

At the end of the day, what really matters is consumer safety. Hundreds of millions of records are being breached and stolen constantly. Consumers should be aware that this is occurring and have an expectation that their data is out there. Technologies that tie their data to their natural physical interactions within online sessions makes them a lot safer than sites that don’t use them. Consumers are within their rights, and in fact are advised, to ask service providers how they protect their customers online.

Breaches may not be preventable, but it is possible to prevent hackers from being able to use the data they steal in these incidents, rendering it completely useless and thus protecting victims of a data breach from further harm.

Want to read more posts like this? See our full blog here.