Adaptive Authentication – How Precise Security Drives Growth
When it comes to fraud, financial institutions (FIs) find themselves trying to address competing priorities. On the one hand, the need for strong authentication and user access security continues to rise. Fraud and hacking attempts become more sophisticated each year, and new laws and regulations require stronger customer authentication security to ensure secure access – potentially adding more friction to the customer experience.
However, consumers have no patience for additional security hurdles. Transacting with financial institutions has to be as easy as it is secure. It should be so easy and frictionless that consumers don’t ever think about the security. In fact, studies show that consumers generally don’t think about security until it breaks. When that happens – whether it’s fraud or data breaches – consumers tend to blame the FI. Clearly, security has to be done well in order to create the best possible user experiences, since this will drive growth through improved customer loyalty, retention, and bank services utilization.
The Pressures Shaping Financial Institutions’ Fraud Detection and Authentication Strategies
“Financial institutions are facing pressures that are coming at them from a number of different angles, all of which are shaping their detection and authentication strategies. In addition to the escalating cyber threat environment and changing regulations, there’s the omnipresent pressure for a friction-free customer experience,” says Julie Conroy, banking fraud expert and Research Director for Aite Group’s Retail Banking & Payments practice.
“All of this has a significant impact on FIs. They are walking a tightrope between a security experience that protects the customer and the FI, while at the same time providing a delightful customer experience.”
The Challenges with the Orchestration of Authentication Methods
To make a difficult challenge even more so, financial institutions have been unable to leverage a single, comprehensive solution to mitigate fraud and improve usability for end users. Instead, they have a patchwork quilt of different tools and types of authentication from different vendors that were never meant to interoperate. This creates tremendous complexity as they license individual tools for fraud detection, biometrics, identity and access management servers, security appliances, and additional authentication. From there, they try to tie things together, with frustrating results.
These tools were never intended to be used together, and integration becomes expensive and cumbersome. As new authentication technologies come to market, this situation only grows more complex and creates new pain points for the business. While a boon for consultants and service providers, it doesn’t make for more secure and usable systems.
Orchestrating all these different solutions and authentication factors also becomes a challenge, mainly because automation doesn’t usually figure into the best-of-breed solutions or can’t be implemented across multiple vendors easily.
So how do banks simplify the patchwork quilt of legacy technologies that have been acquired over the years – and unify all solutions under a single, integrated platform? And, how do banks pull from all of these disparate third-party data sources in real time, to make smarter decisions and ensure user authentication and access control?
Use Cases: How Adaptive Authentication Helps
Adaptive authentication works through an understanding of the consumer’s behavior, the integrity of their devices and mobile apps, and other contextual data points to establish user identity. Though the software may not know the an individual consumer’s current bank balance or the date of their last car payment, the authentication process algorithm will recognize that Paul regularly transfers $200 to the same account each month from the same mobile phone in Chicago. The data is based on Paul’s activity, rather than static knowledge about his finances and personal life.
Why is this information important? Because, if the geo-location component notices that Paul is trying to send $1,000 to a new account from a different device in Paris, this falls outside his usual scope and contextual pattern. As a result, this transaction is more likely to be an attempt at fraud, and the adaptive authentication tool recognizes it as high-risk. However, people don’t live in boxes. It’s entirely possible that Paul traveled to another city.
Therefore, instead of denying the transaction, the tool leverages adaptive authentication policies to challenge the consumer according to the risk level. Paul gets conditional access to particular account features, such as larger funds transfers. If Paul can pass the security hurdle, such as a one-time password (OTP), security question, or push notification, and authenticate, he can proceed with his transfer. As Paul’s particular contextual patterns and circumstances evolve, the solution is intelligent enough to recognize these changes and adapt their risk profile.
As part of this process, adaptive authentication assembles a series of risk scores to evaluate these various situations as high-risk or low-risk based on user behavior. But unlike the older, linear scores, it can cover multiple dimensions and circumstances and change moment-to-moment. The adaptive security risk score can then become more accurate as it accepts these various third-party inputs. It will become a more reliable indicator of account compromise and potential fraudulent access over time. And because it is based on each consumer’s unique usage patterns, it is very difficult to impersonate.
A large part of this automation process is orchestrating how adaptive authentication will be used and how these assessments will be carried out by the suite of applications that a financial institution ultimately chooses to deploy. The best orchestration technology can examine a wide variety of inputs and combine everything together to make a real-time decision about the precise level of authentication security to apply to each consumer’s unique interaction.
What to Look for in an Adaptive Authentication Solution
OneSpan has just introduced an intelligent Adaptive Authentication solution built on an open, cloud-based architecture. It combines multi-factor authentication (MFA), behavioral analysis, biometrics, risk analytics, and mobile app security technologies with the latest cloud, machine learning, micro-services and container technologies, to drive growth and retention through:
- Fully optimized user experiences
- Intelligent, real-time fraud detection
- Easier compliance