Skip to main content

The next evolution in authentication

password
(Image credit: Image source: Shutterstock/Ai825)

Authentication is the cornerstone of online life, allowing billions of people to access products and services in the digital age. From logging onto Facebook or subscribing to Netflix, to paying taxes virtually or buying a phone on Amazon – all these actions require a method of real-time authentication. 

We’re already quite at home with having to prove that we are who we say we are when going about our daily online activity, but the online ecosystem must remain vigilant against interlopers or fraudsters using identity, personal details and payment methods.

Authentication solutions serve as a crucial safeguard against fraud, defending against organized crime, money laundering and illegal practices by verifying a match between an account holder’s  identity and payment data, thus legitimizing a payment. The key is to do this while keeping data secure.

In the USA, it was recently announced that poor authentication led to up to $8 billion being stolen from the National Covid Relief Fund by fraudsters claiming to be people they were not. Poor communication about authentication methods made the recent presidential election subject to erroneous claims of fraud and vote stuffing. And yet, too many processes are still done by hand. We can see that authentication has a huge impact on our daily lives and holds a special position for the future.

A growing need to authenticate online transactions

As the ongoing pandemic has pushed our professional, leisure and retail activities further online, authentication has become an even more critical process.

The surge in online shopping, alongside ‘buy now pay later’ schemes, remittance payments and neobanking, has only heightened the need to authenticate accurately. This could not be more true for Card-Not-Present (CNP) and crypto transactions.

Understandably, with large swathes of the working population recently moving to remote working, more than 70 percent of UK business decision-makers believe the shift to working from home during the pandemic has increased the likelihood of a cyber attack.

Almost half (46 percent) noted an increase in phishing attacks since lockdown and the subsequent need to verify the identity of employees accessing company networks, making payments, or submitting data to company platforms.

Regulation, regulation, regulation

Pre-Covid-19 fraud losses on UK-issued cards totaled £620.6 million in 2019, an 8 percent decrease from £671.4 million in 2018.

Unsurprisingly, the online payments boom of recent years led to new regulation to manage the problem, with new PSD2 Strong Customer Authentication (SCA) requirements coming into play in 2021.

This will make two-factor authentication (2FA) necessary for all CNP purchases over €30 in Europe/£30 in the UK, with a few exemptions qualified in a technical manner according to the rates of fraud and chargebacks.

There are, however, concerns that this mandatory secondary authentication constraint could increase friction for customers, costing merchants up to $100 billion in lost and abandoned sales.  Merchants who qualify for exemptions on all their payment types (including PISPs) will be able to take payments without 2FA, creating an enormous need for streamlined authentication processes.

Authentication and user data are at the heart of lowering fraud rates

The online age has brought a wave of user-focused businesses staking their claim to authentication through user data. Companies such as PayPal, Amazon, Apple, Google and Facebook offer Single Sign On (SSO) features or complete customer ‘walled gardens’ in which there are so-called ‘data lakes’.

Many companies online now ‘own’ that data. They use it to authenticate the user within their network or to benefit partner companies, but this may risk the privacy of the user.

The cost of authentication

There is a real arms race among data driven companies to position themselves as gatekeepers of digital identity, keeping users and their data within proprietary environments. However, authentication is a ticket to play and should be open, transparent and movable.

Users in their great majority do not want to be forced into a single company’s ecosystem. While a standardized, unified authentication environment can be convenient for consumers, it comes at a cost. Users risk their privacy and their data being exposed, and their authentication ‘tied in’ to their provider. And fraud and security are not improved by this method, as last year alone more than 400 million user identities were hacked.

The problem is that the ‘tethering’ of authentication means every non-customer is treated as a risk. If you fail to meet authentication requirements or break a rule by mistake, then your cards, accounts or funds may be blocked indefinitely. More often than not, the consumer has the obligation to prove they are who they say they are. This is even the case for the most disruptive of neobanks and payment platforms.

Behavioral biometrics

Merchants looking to integrate fast, safe and frictionless authentication into their payments process should partner with an advanced authentication service provider.

More recent technology providers base the process on probabilistic and adaptive risk dynamics, while operating in real-time, and so reducing friction.

The latest innovations in behavioral biometrics and transactional data preserve security without sacrificing privacy, creating an anonymized – or at least semi-anonymized – data fingerprint that becomes a token.

For example, there are fraud prevention and risk management solutions out there that collect device-level behavioral data and analyze events on the device, automatically generating an encrypted token based on the values from the tokenized device together with distinct patterns from its owner’s actions, using these as a surrogate identity.

This type of authentication can be done independently of private or identity data, so customers never have to submit a form or send any personally identifiable information (PII). This means that none of the data sampled can be used for any other purpose.

By harnessing this type of technology, merchants can receive real-time, 99 percent accurate risk-based authentication. Customers, meanwhile, benefit from frictionless transactions, uncompromising privacy and an enhanced user experience.

Ultimately, online transactions are more secure and stakeholders more confident about managing CNP transactions.

A turning point for authentication, payments and identity

We are at a crucial point in the history of authentication. Changes in regulatory requirements and the rapid increase in global online buying are setting the course for the future.

It has never been more important for companies to invest in seamless, low-risk services for digital interactions and transactions. And, as the technology improves, merchants, payment systems and consumers will all benefit.

Joshua Bower-Saul, CEO, Cybertonica

Joshua Bower-Saul, CEO at Cybertonica.