Beyond Passwords: How Advancements in Authentication Technology Enable Safer Transactions
Published on July 19th, 2018
For decades, passwords have been the linchpin of security.
Even before high speed Internet access became a household norm, most of us had passwords for everything from telephone banking to video rentals. If you’re reading this, chances are you’ve been choosing (and hopefully remembering) passwords for most of your life.
But, the primacy of passwords is coming to an end. They are simply no longer sufficient to hold back the tide of fraudsters hoping to profit at others’ expense.
Put simply, passwords are too easily guessable, too easily crackable, and too easily circumvented to protect an individual’s most precious asset: their money.
Card fraud: the $350 billion problem
Let’s take a step back. How much of an issue is fraud really?
Well, first off, there are the direct costs of fraud, which hit $28 billion in the US during 2017 and are expected to exceed $38.5 billion by 2020.
While first-party fraud, such as chargebacks and loan default, is the most common form of fraud across all industries, in the healthcare industry it’s a different story. Typically, fraudsters use phishing and social engineering attacks to steal users’ credentials and takeover their accounts.
Sounds bad, right? Sadly, it’s not even close to the whole story.
The second issue to contend with is false declines. This is when legitimate transactions are wrongly declined as a result of fraud prevention measures. When things are working well, we might expect to see a false decline rate of 3/1, which means three legitimate transactions are declined for every declined fraudulent transaction.
So, what do all these false declines cost? In the US, they’re expected to cost around $331 billion in 2018. Yes, you read that correctly. The cost of false declines is around ten times higher than the cost of card fraud.
And, do you know what the direct and indirect costs of fraud have in common? They both stem from the same issue: poor authentication.
The problem with passwords
By the time you add up online banking, email, e-commerce, social media, and general interest accounts, the average person manages 126 online accounts. That’s a lot of passwords to remember.
So, guess what? Twenty percent of people reuse exactly the same password for all of their accounts. That means for one out of every five people, when one of their accounts is compromised, all of their accounts are compromised.
And, it gets worse.
The majority of passwords are very easy to guess or crack. A common eight-character password can take less than a second to guess using a simple password dictionary, and even a more complex eight-character password can be cracked in mere seconds using a botnet.
“OK,” you might be thinking. “But, those are all problems associated with bad passwords. What if we could convince people to choose good passwords instead?”
Sadly, instead of solving the problem, good passwords simply create a new one: forgotten passwords.
People forget their passwords all the time. Be honest, you’ve forgotten a few passwords yourself over the years. As a result, account providers are forced to offer convenient methods of recovering forgotten passwords.
Here’s where the problem lies. Most password recovery processes require account holders to provide basic personal information such as their mother’s maiden name or date of birth. But, as we explained in a recent blog post, over 9.7 billion electronic records have been stolen in the past five years… and those records contain precisely the types of personal information necessary to breeze through password recovery processes.
Naturally, all of this adds up to a big opportunity for fraudsters. If it’s easy for them to compromise online accounts (including those relating to banking and e-commerce), there will be plenty of opportunities to conduct fraudulent transactions.
And, believe it or not, that still doesn’t account for all of the problems associated with passwords. Forgotten passwords also lead to abandoned shopping carts. Nearly a third of all online transactions are abandoned at checkout because users can’t remember their passwords. If you thought the cost of false declines was high, imagine how much that little hitch costs online retailers.
Authentication in a rapidly-evolving world
Before we think about how authentication should work, it’s important to recognize that making and accepting payments is far more complex than ever before.
In the past, individuals could make payments in person or over the phone… and that was it. Now, they can use PayPal, Visa checkout, online bank transfers, Apple Pay, Samsung Pay, Google Wallet… the list goes on, and on, and on.
Individuals need to be able to authenticate themselves securely whether they’re applying for credit, speaking to a contact center, using online banking, sending a payment from their smartphone, or any one of a dozen other so-called “touchpoints.”
In order to meet these rapidly-evolving demands, organizations throughout the payment ecosystem have been forced to develop new authentication mechanisms quickly. As a result, in many cases, authentication has become heavily siloed. Some touchpoints offer highly-secure authentication (mobile devices being a good example) while others (particularly contact centers) are wide open to abuse by fraudsters.
At the same time, the proliferation of WiFi-enabled devices available to consumers has dramatically increased the volume of information available on the average individual. From laptops and smartphones to smart TVs, fitness trackers, and even kitchen appliances, young people in particular are creating digital footprints nearly every minute of the day.
So what does all this mean for the future of authentication? Simply this:
Heavily-siloed authentication techniques (i.e., having a different solution for each account and/or touchpoint) is unwieldy, and will soon be, unfeasible. But, the behavioral information needed to inform instantaneous, frictionless, highly-secure authentication across all touchpoints is already available.
The future of authentication
If you ask a young person what the future of authentication might look like, they’d probably say biometrics. After all, many young people are already familiar with the use of thumbprints, eye scanners, and facial recognition software to unlock their smart devices.
And, the truth is, they’d be half right. The future of authentication does lie in biometrics… just not necessarily physical biometrics.
Physical biometrics authenticate using something you have – a thumb and fingerprint, retinal scan, voice ID, and so on. This authentication process is visible to the user and can cause friction in the authentication process. Physical biometrics are hard to spoof, but not impossible.
Behavioral biometrics, by contrast, authenticate based on things you are or do naturally. The authentication process is invisible to the user, can’t be spoofed, and is completely frictionless.
Smartphones, for example, have over a thousand different behavioral biometric indicators that enable them to identify an individual with more than 99.99% accuracy. These indicators include behaviors such as:
- How hard the screen is pressed
- Which finger is used to unlock the device
- Whether the user is left or right handed
- What time the device is usually opened in the morning
- What the user looks like
By tracking these indicators, smartphones are able to use what’s known as “continuous passive authentication”. In other words, your smartphone knows when you’re using it, so it has no need to force you through manual authentication processes.
In the authentication processes of the future, this type of information will be transferred across the payment ecosystem so that it can be used regardless of payment method. Not only will this lead to greatly reduced levels of fraud and false declines, it will devalue the personally identifiable information (PII) that fraudsters actively try to collect by removing it from the authentication process.
And, the authentication journey won’t be limited to the payment ecosystem. The ultimate goal will be to establish a connected authentication hub that protects an individual’s identity and accounts across the board. If a fraudster attempts to access an individual’s fitness tracker, but fails passive behavioral biometric authentication, that should trigger a response in real time across not just financial accounts, but across all accounts that are important to that individual’s digital identity.
Bridging the gaps
Here’s the thing. Although the technology needed to facilitate continuous passive authentication is already widespread, we aren’t quite there yet.
But, no matter where you are in the payment chain, there are steps you can take to move forward:
1) Quantify the problem
While the direct costs of poor authentication techniques are fairly easy to measure, it’s usually indirect costs that make up the bulk of ROI when implementing authentication technologies: cart abandonment, improved customer satisfaction scores, call center costs, and so on.
As an example, one minute of verbal authentication per phone call can account for a massive 20 percent of call center costs. Using voice ID and biometrics in place of manual Q&A can reduce call time substantially, reduce friction, and save you money while also improving security.
2) Identify and close vulnerabilities
Fraudsters constantly look for easy penetration points, so before you start implementing better technologies you should ensure your existing processes are buttoned up. Typically, while some touchpoints will likely offer strong authentication options, others (particularly call centers) tend to lag behind. At the same time, lack of real-time communication between touchpoints can be easily exploited by determined fraudsters.
3) Develop a layered approach and omni-channel strategy
Just as it’s important to ensure your processes are strong across all touchpoints, there’s also little value to implementing strong biometric technologies in one area while leaving outdated technologies in place elsewhere. Ideally, you should build a layered approach to authentication across all touchpoints and connect them through a central data hub that allows you to take action in real time whenever authentication failures occur.
4) Collaboration is key
When the entire ecosystem is safe, everybody wins. Businesses enjoy reduced losses from fraud and false declines, and, at the same time, consumers experience a frictionless authentication process that provides both security and convenience. In order for this to be possible, collaboration across the payment chain is essential.
For once, it really is a win-win
Right now, the authentication protocol described here might seem a long way off. After all, most payment services and online banking services have only recently started to make use of physical biometrics and two-factor authentication.
But, it’s important to remember that, for once, making the next step up in authentication practice will have a resoundingly positive impact on everybody involved.
Continuous passive authentication will be comfortably the biggest authentication breakthrough ever and will have a profound impact not just on the primary and secondary costs of fraud, but also on the user experience. Not only will consumers enjoy frictionless authentication across all of their important accounts, they’ll also experience fraudulent events at a much lower rate than ever before.
And, believe it or not, consumers are ready for change. After all the high profile data breaches from the past few years, it should be no surprise that 78 percent of online shoppers believe they need more protection and 57 percent have little faith that e-commerce sites will keep their personal information secure.
Consumers are now more aware and less tolerant of fraud than ever before, and they’re starting to make it clear that they expect a higher degree of security than they have experienced in the past. To illustrate this point, according to a recent survey by Mastercard, 95 percent of millennials said they were willing to eliminate the use of passwords altogether to access their bank accounts.
So, while it may feel like a long road to travel, making steps towards the future of authentication really will have a profoundly positive impact, not just for your bottom line, but for almost every aspect of your business.