CISOs looking to beef up their customer-facing authentication procedures to thwart cyber attacks need to walk a fine line.
You want the method to provide tight security without being too complicated, confusing, or onerous for end users. You also need to be mindful of privacy concerns, particularly when it comes to approaches like challenge questions or facial recognition.
Selecting the most appropriate authentication method for your customers is something of a moving target because consumer attitudes are always changing. The pandemic has had an effect: consumers prevented from in-store shopping due to lockdowns turned to online retail and never looked back.
Experts say that as consumers became more accustomed to digital purchases for things like groceries, they also become more comfortable with other forms of digital commerce, such as mobile banking or digital wallets.
Demographic differences do apply, however. For example, consumers in the “digital native” generation expect to be able to seamlessly move among all their devices and across multiple platforms such as shopping sites, payment methods, and their bank, according to a study conducted by PYMNTS.com and Nok Nok Labs that focused on the banking industry. These super-connected customers are more open to innovative security measures such as passwordless authentication.
One thing all demographic groups recognise: Passwords are the most annoying authentication method and offer the least protection. Consumers want and expect organisations to transition from password-based authentication to more modern alternatives such as biometrics (fingerprints or facial recognition) multi-factor authentication (MFA), or even methods that are invisible to the user.
Security a top consumer priority
According to Experian’s 2021 Global Identity and Fraud Report, 55 per cent of respondents said that security is their top priority when conducting an online transaction. When asked by Experian to rank authentication methods based on their level of security, 74 per cent cited biometrics as the most secure, followed by PIN codes sent to mobile devices (72 per cent), and behavioural analytics (66 per cent), a technique that uses passively observed signals and requires no action by the consumer.
Experian summed up its research this way: “Notably, passwords didn’t earn a spot in the top three methods for authenticating customer identity, even though nearly every digital account and device includes some sort of password protection. This indicates a new shift in consumer thinking that moves away from the realm of the password.”
The report added, “One of our most significant findings was the increasing comfort and preference that consumers have for physical and behaviour-based -- or invisible -- methods of security.” The data also shows that consumers are more willing “to have businesses manage their security and privacy without overt involvement.”
Historically, organisations used authentication methods that relied on customer actions -- memorising passwords, answering challenge questions, the back and forth associated with entering a username/password, receiving a one-time PIN code (possibly on a different device if you’re using a computer to conduct the transaction and the password goes to your phone), and then entering it into a field.
James Brodhurst, head of Experian’s Identity and Fraud Practice in Europe, Africa and Middle East, adds, “Businesses more than ever need to balance fraud prevention and a smooth customer experience. Fortunately, many of the necessary checks can be carried out invisibly and in real-time while onboarding the customer. For example, running consistency checks on their device or behavioural biometric assessment of the customer.”
The PYMNTS researchers came to a similar conclusion. Their survey of more than 2,000 adult consumers found a significant disconnect between the legacy methods that customers use to access their bank accounts and their preferred methods.
Three-quarters of consumers are still using username/password, but only 42 per cent prefer that method. In terms of alternatives, 18 per cent said they would rather use authentication based on PIN codes, another 14 per cent said they would prefer fingerprint-only authentication, 11 per cent wanted facial scans only, and 13 per cent said they would prefer MFA.
The upshot: “Given the shift in consumer preferences, businesses have the opportunity for a new approach to security, layering visible and invisible methods. By leveraging data and observations garnered throughout the customer journey, companies can facilitate accurate recognition and authentication at each discrete decision,” said Experian researchers.
Authentication options evaluated
Passwords: The legacy approach
“Passwords have been a consistent headache for security practitioners for years,” said 451 Research in its recent Market Intelligence report on MFA. “The security flaws inherent in passwords are manifesting in the rising tide of data breaches related to credential theft.”
IDC puts it a little more bluntly in its MarketScape report, Worldwide Advanced Authentication for Identity Security 2021: “Any security team member who doesn’t know that compromised identity credentials are the leading cause of network security breaches and/or data losses is living under a virtual rock. Passwords are….well bad.”
Bottom line: Passwords are the incumbent, legacy solution, and customers are ready for better options.
One-time password via SMS: Another legacy approach
Often paired with username/password, this commonly used method involves sending an SMS message to the user's mobile phone, containing a one-time-password. However, SMS is not a particularly secure transport mode and NIST now recommends against the use of SMS as a second factor. Gartner's Market Guide for User Authentication adds that legacy out-of-band methods using SMS are “relatively weak.”
Biometrics: A technology whose time has come
With fingerprint-based authentication a feature on smartphones for many years and facial recognition a standard feature on new iPhones, iPads, and Microsoft Surfaces, consumers are getting accustomed to biometrics as an authentication method.
Biometrics offer many advantages as a replacement for passwords. They are fast, reliable, and difficult to spoof. They don’t require that the consumer do or remember anything.
The only drawback revolves around privacy concerns. It’s one thing if a consumer uses their face to unlock their own phone, but it’s quite another to provide biometric data to third parties, no matter how trusted and no matter how much they insist that biometric data is protected and encrypted.
For example, in a recent KPMG survey, only 44 per cent of consumers found the use of facial recognition to access their financial information to be acceptable. So, companies implementing biometrics need to make a concerted effort to be transparent about how they handle biometric data.
Multi-factor authentication: Two factors are better than one
Gartner predicts that by 2023, 60 per cent of large, global enterprises will deploy MFA, a significant increase from only 10 per cent today. Gartner also distinguishes between legacy MFA, in which one form of identification is username/password, followed by a second method, either a challenge question or a PIN code sent to a consumer’s phone or email, and more advanced MFA, which eliminates the password altogether.
One increasingly popular authentication method is push notification. With push technology, users receive a notification on their mobile device through a dedicated authenticator app. Customers open the app, inspect the details of the authentication attempt, and must confirm the verification request.
Push is easy to use, efficient, and low-cost. The only real drawback seems to be that some users might absentmindedly hit the approve button without looking at the notification, so they could end up approving a bogus transaction. Gartner says that it has seen an increasing willingness on the part of customers to adopt methods such as mobile push in the banking industry.
Another MFA wrinkle is to require the end user to enter not a username/password, but an email address. Either an actual link or a PIN code is then sent to the email address.
Organisations have many ways they can mix and match various multi-factor methods to find the right balance between security and a smooth user experience.
Invisible authentication: Wave of the future
The most promising authentication method doesn’t require the end user to do anything, so-called invisible authentication. There are several variations on this theme:
- Behavioural biometric authentication: This analyses keystrokes, mouse dynamics, or even how a person holds their phone.
- Device recognition: The authenticating party can recognize that the device itself has been granted authentication.
- Contextual/behavioural: This might include geolocation, computing environment and the nature of the transaction being attempted.
Another concept associated with passwordless, low-friction authentication is continuous authentication based on customer behavior. For example, if the authentication authority has enough contextual information at login (IP address, geolocation, past history) it might let the user in.
However, the authentication system continues to monitor the customer’s activity and if anything raises suspicion or they attempt a task that requires a higher level of authentication, the system might then send a push notification asking the customer to verify a transaction.
As David Britton, vice president of industry solutions at Experian says, “There’s an opportunity for companies to more freely adopt invisible solutions, which can reduce friction and increase customer satisfaction.”
Of course, every authentication method has its pros and cons. With invisible authentication, the customer might rightfully question whether the security protocols are there at all since they are not readily apparent. This concern can likely be overcome with education and with a frictionless user experience.