Authentication is a hot topic. We all know that to win in the digital world, organizations must make their services both simple to use and secure.
I’m sure that I’m not alone in saying that I would love to be able to achieve things online without having to enter a complex password (which I’ve probably forgotten) or a SMS One Time Passcode (SMS OTP) (which has probably been sent to a mobile device that is on silent... and well-hidden under a pile of coats in a different room). Unfortunately, for the most part, these are the hoops that I need to jump through if I want to login to one of my accounts or buy something digitally.
Clearly, these techniques are not delivering from a customer experience perspective. That would be fine if they were providing the security that customers and businesses need, but it is becoming more and more apparent that this is not the case.
In a recent report, the Aite Group urged organizations to take another look at their authentication framework. They identified that increasingly sophisticated bad actors, smarter authentication technology and emerging intervention from regulators is making it vital for organizations to re-evaluate how they authenticate their users. The report urges organizations to take advantage of powerful new capabilities that offer both less friction, and increased security.
Callsign wholeheartedly agrees with this assessment. When organizations re-evaluate what they need from an authentication process, we urge them to consider the following:
- how easy it is for the customer to use
- how cost effective it is and,
- how much security does it provide?
The 3 elements of an authentication framework
The authentication framework defines how an organization authenticates and protects its users. The Aite group break it down into three main user interaction points.
Setting up an account – ID proofing
When a customer applies for a product or service or attempts to open an account, an organization should have some way of making sure that the information the customer submits is correct. Failure to do this leaves the organization open to application fraud and abuse by those who want to use the organization’s platform or products for nefarious purposes.
Logging into an account
Authentication: when a user attempts to access their account, there must be a secure and robust way of ensuring they really are who they claim to be. If the authentication process does not detect and block bad actors, the organization leaves itself and its customers open to account takeover (ATO) attacks.
Altering an account
Changing contact information or preferred authentication method: sometimes the user will need to change important attributes associated with their account. The user’s address, phone number – even their name – are not fixed and may change over time. It’s prudent therefore that the organization offers users a way of managing this themselves.
Organizations must however ensure that when a user seeks to change an attribute, particularly one that is involved in the authentication process (like a phone number), a robust control framework is adhered to. If not, there would be little stopping a bad actor diverting the authentication mechanism to one that is under their control.
Simply, things have changed. New regulations and guidance have been published, new authentication technologies pioneered, and new sophisticated techniques are being used by bad actors. The volume and pace of change is staggering. The only thing that is certain is that change will continue and that, unfortunately, passwords and SMS OTPs alone simply won’t cut it.
Smarter bad guys: cyber crime is endemic
The events of 2020, which accelerated the transition to digital services, also demonstrated how vulnerable those services can be. Account takeover attempts jumped by 282% in Q2 2020, undoubtedly driven by the dramatic change towards digital shopping apparent during the last year.
But how are bad actors able to circumvent the current protection processes such as passwords and SMS OTPs?
It’s no secret that most people re-use their passwords across multiple accounts. When login credentials become public knowledge through all-too-common data breaches, bad actors can harvest them and use bots to stuff them into every login screen they can find – with an alarming success rate.
SMS OTPs are also disturbingly vulnerable to interception. Unsophisticated bad actors can simply deploy a “man in the middle” attack. All the bad actor needs to do is initiate an authentication event and then call a customer, claiming to be a representative of a legitimate organization – and ask the customer to hand over the code sent to their device.
More sophisticated bad actors will deploy industrial-scale SIM Swap and SS7 attacks, which redirect the SMS OTP to a device under their control.
These weaknesses represent a threat to both consumers and business. Unsurprisingly, regulators and government agencies are scrutinizing the problem now more than ever.
New regulations, standards and guidance
Increased levels of cyber crime mean that governments are taking more of an interest in how organizations are authenticating their customers. Both the NIST 800-63B guidance in the US and Europe’s PSD2 regulation signal an increased willingness for governments to have a say in how authentication standards are created.
By and large, these interventions encourage organizations to move towards a multi-factor authentication (MFA) approach. Organizations are being encouraged to authenticate sensitive or high-risk transactions with a combination of two or more of the following factors:
- knowledge (what a user knows, for example, a password);
- inherence (what a user is – what they look like or how they type); or
- possession (what a user has, such as a specific device or token).
Whilst easy to mandate, achieving MFA is far more complicated than the guidance suggests.
Weary of deploying a solution that further harms user experience and results in more abandoned transactions, organizations are now looking for simple, scalable ways of achieving MFA. Fortunately, advances in technology are allowing this dream to be realized.
Technology has advanced a lot over the last few years. Behavioral biometrics in particular promises to allow organizations to achieve their multi-factor authentication requirements in a seamless and secure way.
Behavioral biometrics seek to identify a user by both what they input into a device and how they input it. The pressure a user applies as they interact with their screen, the speed that they trail their fingers across the display, their typing cadence – even the angle that they hold their device – these inputs are unique to each person and can therefore be used as a quick and easy way to identify us at an individual level.
This technology allows organizations to generate a multi-factor authentication event from a single interaction. If I type my password into a login screen that has a behavioral biometric capability, I am identified by both what I type (knowledge of my password) and the way I type it (inherence). This eliminates the need for an out-of-band OTP, removing a step from the authentication process. As such, the customer experience is improved, and the number of costly SMS OTPs sent by an organization is reduced.
Layering behavior biometrics on top of a password also significantly increases the security of the authentication event. The way I type my password or interact with my screen is unique to me. Even if I wrote my password down and handed it to a bad actor, the behavioral biometric authenticator would identify that – although the correct password has been entered – the way that it was entered was not consistent with my behavior. Access would therefore be denied, and my account would remain safe.
This means that if a user has reused a password across multiple systems – or one that’s short and easy to remember (and guess) – there is still less risk of their account being exposed to attacks.
Taken together – or even in isolation – one thing is clear: the benefits of shifting to MFA outweigh the alternative; and in fact, falling behind the curve isn’t a real option. With the why (and indeed the when: as soon as possible), being obvious, the most pressing concern for organizations is the how.
The solutions for Multi-Factor Authentication
To best handle and manage the change to MFA, organizations need two things. Firstly, they need mechanisms to authenticate users and secondly, they need a way of integrating these authenticators into the user’s journey. As such, Callsign offer an end-to-end identity capability via our Intelligence Driven Authentication technology and our Orchestration Layer.
We can deploy a range of authenticators that suit the needs of the organization – from behavioral biometrics to more traditional authenticators. These authentications can be easily placed into a graphical representation of the user’s digital journey via our Orchestration Layer, allowing them to be easily deployed, managed and controlled by the organization – without the need to write a single line of code.
Ultimately, the movement towards MFA – powered by advanced technology – is fast becoming best practice amongst both big tech and financial services institutions. Given the benefits to security and customer experience, it’s no surprise that other organizations operating in the digital economy are becoming increasingly interested. The question has changed from “Will these technologies be adopted?” to “How long will it take for these technologies to be everywhere?”.
And in pondering the answer, it’s worth remembering that businesses don’t really have the luxury of time. After all, the fraudsters, scammers, and bad actors are asking the exact same questions.