The recent WannaCry ransomware attacks that crippled hundreds of thousands of computers in 150 countries have struck terror in the hearts of governments, banks and businesses worldwide. Malware is becoming increasingly sophisticated, and is taking ominous new directions.
According to Verizon 2016 Data Breach Investigations Report, no less than 63% of confirmed data breaches in 2016 involved the use of valid user credentials. Thus, user authentication has become a crucial issue in the fight against hackers. It is growing abundantly clear that current authentication methods used in Two-factor (2FA) and Multi-factor (MFA) are unable to withstand the new highly destructive types of cyber attacks.
Pain Points of Current Authentication Methods
Current commonly used authentication methods are no longer doing their job and these are just some of the reasons why:
- High False Positives - False positives are a major headache for every industry. When it comes to payments, the need to minimize the risk of fraud is clear but with the stakes so high, strict security measures can also end up leading to false positives. According to Javelin, 15% of all US credit cardholders had at least one transaction incorrectly declined in 2015, representing an annual decline amount of almost $118 billion. But lowering the threshold could cause loss of considerable revenue to actual fraud. Current authentication methods fail to effectively differentiate between legitimate and fraudulent transactions.
- Regulatory Compliance - Banks are subject to strict regulations related to money-laundering, sanctions screening and more. Investing in manual effort to weed out false positives is costly but automatic processing may cause even greater losses. Nevertheless, fines for violations - even inadvertent ones - can be huge. Most banks still shudder when they recall HSBC Holdings’ $1.9 billion fine to the US government for allowing itself to launder drug money coming out of Mexico. The problem is peaking as banks seek more effective ways to improve false positive ratios.
- User Friction and Inconvenience - Users want to get their business done easily and quickly, whether they are dealing in purchases or banking transactions. They regard this as their due. But security, especially for mobile banking apps, is of primary importance. 2FA and MFA authentication methods often necessitate the user to enter passwords or captchas more than once. Sometimes, the user is requested to enter a new code sent via a text message or answer a security question in the course of his activities in a shopping or banking app. All this comes on top of the need to remember the right passwords for various apps, no mean feat when there are a multitude of them. The demand for repeated authentication causes the kind of hassle that seriously irritates your busy customer, sometimes to the point of no return.
Even if a customer remembers multiple usernames and passwords, hackers are finding it increasingly easy to take over users’ accounts by using legitimate credentials stolen via phishing schemes, or by simply bypassing the login altogether.
In 2016 account takeovers rose by 31%, resulting in $2.3 billion in losses. Traditional best practices to avoid account takeover include changing passwords regularly, not using the same passwords across multiple services and checking accounts regularly for abnormal behavior, resulting in even more user aggravation.
With the threats growing more sophisticated daily and authentication becoming the crux of the security issue, only highly advanced methods based on artificial intelligence technologies can deal with the dynamic challenges that lie ahead for enterprises and banks.
Behavioral Biometrics - The Future of Authentication
Behavioral biometrics is a cutting-edge scientific field which overcomes the weaknesses of older authentication methods while ensuring continuous authentication and a friction-free user experience. It enables unprecedented authentication capabilities based on dynamic human activities that cannot be replicated by fraudsters. Recently, behavioral biometrics was recognized as a robust customer authentication method in the framework of the EU’s PSD2 directive, which will be enforced throughout Europe in January 2018.
- Significantly Lower False Positive Rates - The ability to identify individual human behavior such as typing patterns, device movement and swipe speed enables the construction of foolproof user profiles. With these profiles, enterprises and banks can accurately differentiate between legitimate and fraudulent transactions, enabling them to implement low-threshold fraud detection methods. Legitimate transactions are no longer refused, generating significant savings and greater brand trust and loyalty. After gaining a true picture of fraud risks, banks can carry out accurate sanction screening without the fear of non-compliance.
- Seamless, Same-Day Integration - Biometric analysis works on all smartphones because of sensors that have already been embedded in these devices. Users don’t need to buy a token or any kind of external technology to authenticate. For the bank or enterprise, it’s a plug & play product, enabling same day integration. Acuity Market Intelligence predicts that by 2019 all smartphones shipped will feature biometric technology.
- Continuous Authentication - Only by continually checking if the user is indeed who you they say they are, it’s possible to prevent unauthorised users from using the device or web application at any given time. Bots or hackers may try to takeover a user’s account but continuous authentication ensures that this activity is flagged as fraudulent immediately.
- Smooth User Experience - In contrast to current authentication methods, which obligate the consumer to authenticate his identity repeatedly during use, analysis based behavioral biometrics conducts constant user authentication in the background. Using proprietary machine-learning algorithms, user behavior is continuously validated against the unique user profile. No explicit user action is required after the initial login, enabling a superior user experience that is uninterrupted and frictionless. The user can concentrate on his transactions without having to remember a string of passwords or codes. All this without compromising security levels in any way.
Trying to fight off sophisticated fraudsters with passwords and security questions can be compared to shooting at a heat seeking missile with a bow and arrow. We’ve all received the wakeup call; now’s the time to apply the kind of advanced technologies that can vanquish attackers and keep user data safe.