What is risk-based authentication?
Risk-based authentication (RBA) helps prevent fraud by determining the risk level for each financial transaction and what level of customer authentication is required for each transaction. RBA helps prevent account takeover fraud and other types of online and mobile fraud attacks by matching the authentication to the level of risk involved. Traditional identity and access management technologies are no longer sufficient given the constantly evolving landscape threat and regular data breaches. Risk-based authentication is also known as adaptive authentication or step-up authentication.
In the past, many organizations relied on one type of authentication for all customers and transactions: static passwords and usernames. This is known as binary authentication. Passwords and usernames are considered weak security because they are so easy for fraudsters to steal and exploit. On the other hand, risk-based authentication is a form of strong authentication because it gives context to the user and their transaction to determine the risk level and the susceptibility of fraud. In cases of a high-risk transaction, the user is prompted for additional authentication to confirm their identity.
The 3 factors of authentication
There are three common factors used for authentication:
- Something you know
- Something you have
- Something you are
The most common authentication is something you know and can be a password or a simple personal identification number (PIN). However, it is also the easiest for fraudsters to beat.
The something you have factor refers to items such as a mobile device or hardware authenticator tokens, which generate single use, one-time passcode. Hardware authentication provides two-factor authentication (2FA). Smartphone-based options, such as a push notification and a one-time password (OTP), also deliver a multi-factor verification.
Biometrics are the “something you are” factor and can be fingerprints, facial scans or voice analysis and are part of a move to passwordless logins. There are a number of laptops and phones available with fingerprint sensors, and they are also available on USB flash drives.
The three factors of authentication are often combined to provide stronger security to thwart fraudsters. The combination of a fingerprint scan with a one-time passcode strengthens security and is an example of multi-factor authentication (MFA).
The importance of risk-based authentication
Risk-based authentication can help prevent unauthorized account access and theft of funds or personally identifiable information data. It's a key element in improving end user experience and retention because it makes the digital banking experience easier and more secure for legitimate customers – and more difficult for fraudsters. Unauthorized access to customer data is a threat to a financial institution's brand, reputation and competitive posture.
How risk-based authentication reduces friction for customers
Adaptive authentication reduces friction for customers while helping prevent account takeover and other types of fraud attacks. It leverages security measures happening in the background, in real time, while the customer is going about their business. RBA applies the precise level of security for each unique customer interaction and avoids unnecessary security steps for low-risk transactions, which can add friction for the user. A good example is a legitimate customer logging into the banking portal with a known device that has been registered with the bank, using the same browser they typically do. They are doing a low-risk action such as checking their balance or making a small payment. In this case, the system determines the risk of fraud is so low that they don’t need to re-authenticate after they’ve logged in. Only when the user’s behavior deviates from normal activity are additional authentication challenges added, resulting in increased security hurdles for riskier transactions such as a bank wire transfer. The customer would be prompted to authenticate themselves in one form or another and if successful, would go on about their business.
How risk-based authentication can drive growth and loyalty
Risk-based authentication is key to unlocking growth and customer loyalty for banks because it greatly reduces friction to provide a better customer experience. As part of a bank's digital transformation, it reduces unnecessary identity verification steps and applies the precise amount of security at the right time for each transaction based on the level of risk. User experience has a direct impact on customer retention. Studies have shown that customers who have the ability to easily engage with their financial institution anywhere and at any time are less likely to switch. At the same time, using risk-based authentication can help banks and other financial institutions cut fraud losses.
Why risk-based authentication is an essential security tool
Risk-based authentication is an essential security tool because it works in real time to help prevent cyberfraud, without inconveniencing legitimate customers.
While the fraud prevention system generates the transaction risk score, risk-based authentication provides the ability to adjust authentication methods on the fly, according to the level of risk. As a risk assessment tool, RBA also makes instant decisions about which authentication methods to use, and in which combinations.
As mentioned above, financial institutions have often relied on weak authentication, such as a password or a one-time code sent by SMS text message. However, advances in fraud, malware, and attack strategies require more vigilant security. As a result, banks are turning to risk-based authentication where a customer may be asked to perform an authentication challenge, depending on the risk level of what they are trying to do. For example, if someone attempts to transfer 90% of the funds available in a bank account using a device that is unknown to the system and at a time of day that doesn’t match the customer’s historical patterns, they would be asked to further verify their identity with additional authentication, such as a one-time pass code accompanied by a fingerprint scan or facial biometric. The use of RBA can identify risky login attempts and deny access or transactions altogether, if necessary.
How risk scores are determined in RBA
Risk scores are key to risk-based authentication. A risk score is created from a number of factors related to an access attempt or an attempt to carry out a transaction.
For example, RBA analyzes hundreds and even thousands of data points, such as the customer’s device, IP address, geolocation, network, time of day, and the transaction itself. This data is used to produce a risk transaction score in real time. Depending on the risk score, RBA can trigger an immediate authentication challenge, if needed. A risk score can also include the user’s history of security incidents, number of logins, and the sensitivity of the data to be accessed. The reason that a risk score is based on a combination of many contextual and other data points is because one data point on its own can and will be beaten by an attacker. However, many access requests do fall below the defined risk thresholds and do not require additional authentication.
The role of biometrics in RBA
Biometric authentication is increasingly being used in mobile banking apps for security and to provide a convenient user experience. Digital customers take it for granted that their transactions will be frictionless and secure. Many stolen passwords and usernames are sold online and many people reuse passwords, which makes them a less secure authentication option. However, submitting a password along with a fingerprint is far more secure as authentication techniques. The use of biometrics was popularized by Apple’s TouchID and the support for biometrics is moving beyond fingerprint scans to facial scans and iris or retina scans. Users have the ability to choose the authentication method that is easiest for them in a particular situation or the method that makes them feel the most secure.
To help authenticate an increasingly mobile customer base, behavioral biometrics can be applied to learn how a customer types, holds the phone or swipes, which hand is being used, and the rhythm of key presses. Behavioral biometrics provide a continuous signal about the authenticity of the user and as a result, they can be difficult for fraudsters to defeat at this time.
Analyst recommendations for a risk-based authentication solution
Market research company Forrester notes that risk-based authentication is more relevant than ever for financial institutions because online and mobile transactions are increasingly popular. Forrester says that the ability to reduce inconvenience and hassle for customers without sacrificing security is a competitive differentiator. The market research company also says that to generate the most accurate risk score possible, an anti-fraud system must be able to analyze as much user, device, and transaction data as possible across digital channels.
When evaluating RBA solutions, Forrester also suggests looking for vendors that deliver fraud rule templates that will increase the accuracy of your risk scores. An anti-fraud system should provide transparency as to how and why these fraud rules are triggered across digital channels. In addition, it’s necessary for the system to show how machine learning will supplement the fraud rules to spot behavior patterns that deviate from a customer’s normal behavior and may be indicative of emerging fraud methods.
Also, make sure the solution does more than just fraud risk analytics. Be sure that it can not only gather and analyze data, but ask the user to complete a higher authentication challenge, if needed.