Static authentication is broken
The year 2017 saw the most data security breaches in history, surpassing 2016’s record of 1091 breaches. Since 2013, over nine billion records have been exposed – more than the number of people on Earth! This stolen personal information is primarily used to perform account takeover attacks (ATO) that affect customers and businesses. Based on research from Forrester, ATO losses in the U.S. were estimated to reach $7 billion in 2017 alone. We have reached a point of no return where passwords and static authentication are just plain broken. Companies need to revamp their online security strategies by implementing new technologies. Below we have gathered the must-haves for the right cake recipe for online security.
Ingredient #1: Layers
Authentication layers act like tools, and each of them has a function. They are different tools just like a screwdriver and a wrench are different tools and have different uses for projects around your house. If you only authenticate your users with a single tool, such as one that just looks at the IP address, device and location, chances are you are going to make inaccurate authentication decisions – and let fraudsters get through.
For example, if your customer travels to another city and accesses their account, IP, device ID and location tools will interpret that new location as an indicator of fraud and even block the log-in. At the same time, impostors are very good at spoofing IP, device ID and location information, so relying just on these factors won’t help you stop fraud. A good security solution starts by gathering a variety of tools.
Ingredient #2: Dynamic data
There are two types of tools: static tools and dynamic tools.
Static tools are those security layers that look at static information and provide a deterministic output: Is the information presented correct or not? Is this IP known or not? By providing a binary yes-no answer, static tools miss the gray area in the middle.
Dynamic tools evolve along with the customer or potential fraudster. Dynamic intelligence that looks at user behavior, such as passive biometrics, can build an accurate digital profile of your customers. This is done by evaluating how the users hold the device, how hard they press the keys or how fast they type, to name a few of the hundreds of data points monitored by passive biometrics. Most importantly, these behavioral patterns are impossible to replicate by a third party, thus protecting online accounts from account takeover.
Dynamic tools such as behavioral biometrics help companies reach near 100% accuracy in legitimate user verification. This way, if I am traveling to Mexico and checking my account from the hotel computer, the passive biometrics layer will recognize that even if the location, IP, and device ID are different the behavior is the one expected from me. Consequently, I will be allowed through without experiencing any friction during log-in.
The tools from your toolbox need to be integrated to communicate to each other. Having a collection of layers in your security strategy won’t be of much help they don’t make one cake.
When your tools are integrated, they can provide a more accurate probabilistic output. For example, if I am still in Mexico trying to check my credit card bill, the device intelligence layer will say that it can’t be me – because the IP, location, and device ID are different. However, the layer that looks at my behavior will say, “No, this behavior is what is expected for this user” and the final probabilistic output will say that my log-in has little to no risk.
Serve in a risk-based authentication bowl:
Risk-based authentication (RBA) is a framework that helps companies automate decisions based on the score provided by integrated fraud management tools. For instance, a company can create a rule where if someone’s risk score is above 60%, the system will add an authentication method that creates friction on the user. This could be such things as fingerprint identification, retinal scan or another option the company has chosen to provide.
This type of friction, presented to high-risk profiles only, is what we call intelligent friction. It helps you fast-track those users who – like me when I’m traveling in Mexico – have changed some of their static forms of identity but are still legitimate. You end up challenging only those users who show suspicious or high-risk behavior.
Baking your cake for 2018
The beginning of the year is a good time to look back at the fraud strategy you used in 2017 and make some changes needed to face this year’s challenges. When you implement a multi-layered integrated strategy that looks at your customer’s behavior, you are protecting your business from most types of fraud while providing a seamless experience to the vast majority of your legitimate users.