When businesses began to go online several decades ago, it became apparent that users’ private information would need to be protected against fraud and hackers. The field of computing, computer sciences and the Internet were all new, and authentication methods evolved accordingly.
Authentication methods came to be based on 3 principles:
- Something you know - This method is based on information that only the actual account user would know, such as passwords or security questions asking for your mother’s maiden name.
- Something you have - This approach relies on the user providing something that only he or she possesses, such as security tokens or a text message verification.
- Something you are - Based on personal behavior, this category identifies something that is inherently yours, such as your face, voice and fingerprint.
Single and Multi-factor Authentication
With the growing sophistication of cyber attacks instigated by hackers, single-factor security, which entailed registration with a password, became ineffective. Attackers were usually able to crack passwords within minutes, wreaking havoc on information systems.
Fraud detection was ultimately beefed up with multi-factor authentication, requiring two or more levels of authentication including a username and password as the first level, and a username and token passcode on the second. Over time, the weaknesses of this method became apparent. A resourceful hacker can intercept token passcodes almost as easily as passwords. In addition, the lack of ongoing, end-to-end authentication meant that there would be no knowledge of a breach if an attacker gained entry to the app after the user’s initial entry. The need to repeatedly enter authentication data disrupted the user experience, deterring use of the app service altogether. It was clear that multi-factor authentication would no longer suffice in the era of digital transformation.
The Effects of Digital Transformation and the MobileFirst Movement
On Nov. 4, 2016, Google announced its plan to move forward with mobile-first indexing and with it, mobile activity took over. Previously, the search engine giant focused on indexing desktop content. This means that in to stay in the game, businesses must offer top-quality mobile sites with a smooth user experience. But it pays to keep in mind that fraudsters move with the flow, so the risk of mobile fraud breaches rises accordingly.
Newer approaches to combating mobile fraud include step-up authentication and risk-based authentication. Step-up authentication is a model where the user is required to perform additional authentication activities during a session as required by company policy.
Some typical examples of step-up authentication include:
- A customer wishes to transfer money on a banking site after having signed on with a password. The bank sends a text message to the customer’s previously registered phone number to authenticate the required additional assurance.
- A businessperson purchasing a birthday gift for her daughter while traveling abroad is prompted to use her fingerprint on her iPhone to authenticate the transaction.
- A parent of a teenager receives a notification to approve a new channel that’s been added to the family’s cable TV package.
Risk-based authentication refers to a non-static authentication system which takes into account the profile of the user requesting access to the system to determine the risk profile associated with a transaction. The individual’s risk profile is used to determine the complexity of the challenge.
These methods have clear advantages: They offer an optimal user experience by demanding the minimum acceptable level of authentication for a given activity. Risk-based assessment models are cost-effective because more expensive options are applied only when needed. While the automated personalization of these models offers increased security, they are certainly not foolproof.
The Future Lies in Continuous Authentication
Savvy users are no longer willing to have their user experience disrupted by requests for passwords or token passcodes. Users want a smooth ride at all costs. Continuous authentication is the next step in the evolution of online authentication. When combined with behavioral biometrics, continuous authentication ensures that no one can assume the user’s identity at any stage of the user process. Indeed, Brooke Satti Charles, a strategist with IBM, points out that “behavioral biometrics capabilities help to maximize detection [of fraud], reduce false positives and optimize strong authentication.”
Based on the user’s personal actions and traits, which are continuously studied by a machine learning algorithm, this method creates a distinct profile without requiring any input from the user. The result is a frictionless but highly secure user experience.
You can read about the business case for continuous authentication in our whitepaper: