Authentication Is the Key to the Digital World – Making it Frictionless and Private will be the next Evolution Online
Everyone uses countless online services and digital products. For each of them the first step is to prove that you are who you say you are. Both you and the business serving you don’t want an interloper or fraudster using your identity, payment method or credit. This is the question that sits at the heart of #authentication, and answering it properly underpins our online existence.
Authentication is the cornerstone of a system allowing billions of people to access products and services in the #digitalAge. Whether it’s logging onto Facebook, paying your taxes virtually, buying a phone on Amazon, or subscribing to Netflix – it requires a form of real-time authentication.
Many solutions have appeared in the past two decades since online sales and payments were born to secure and verify both the ability to make a #payment and user’s #identity. This process reduces risk by proving that the transaction is legitimate and keeping your data secure. It’s a crucial safeguard against #fraud, defending against organised crime, money laundering and illegal practices.
Consider for a moment that in the USA up to $8 billion has been stolen from the National Covid Relief Fund. This was done by fraudsters claiming to be people they are not. Think of postal voting scandals and voter registration, you begin to see just what authentication means for our future.
As the ongoing #Covid-19 pandemic has pushed our professional, leisure and retail activities further online, authentication has become an even more critical process in everyday life.
Growing need to authenticate online transactions
The recent explosion in online shopping, Buy Now Pay Later, #neobanking, and remittance payments increases the need to authenticate accurately including for Card-Not-Present (CNP) and crypto transactions. Similarly, with large chunks of the working population moving to remote working, businesses are pressured to verify the identities of employees accessing company networks.
In fact, 71% of UK business decision-makers believe that the shift to #WFH during the COVID-19 crisis has increased the likelihood of a cyber attack, with 46% noting an increase in phishing attacks since #lockdown (see Raconteur). Again, authentication and digital identity, along with #cybersecurity, are essential.
The online payments boom has led to new regulation to manage the massive fraud (more than £25 billion per year in direct losses). In addition, criminals successfully stole £1.8 billion in 2018 through phishing and scam attacks (see UK Finance).
In the EU and the UK the deadline is approaching in 2021 when the new PSD2’s Strong Customer Authentication (SCA) requirements will make two-factor authentication (2FA) necessary for all CNP purchases over €30 in Europe and £30 in the United Kingdom (unless exemptions are in place thanks to specific criteria and anti-fraud systems).
There are concerns that the friction in the customer experience created by this could cost merchants up to $100 billion in lost and abandoned sales (see Finextra). This creates an enormous need for streamlined authentication processes. Additionally, “exemptions” could allow businesses to take payments without 2FA depending on their rates of underlying fraud.
Authentication and user data are at the heart of many methods to ensure low fraud rates
Years ago, authentication was kind of like being a member of a club with special rights to resources and transactions. Even as the ability to transact globally became available to billions of people in the 1990s, massive databases of users were built up by major credit and banking interests. This essentially made them the arbiters of who had the right to transact and what rules were in place to manage the identities and entities that were (or were not) in the club.
Later, the chip enhanced card allowed for knowledge of a four digit code to democratise authentication within the “Europay, Mastercard, and Visa” (EMV) system. This system, however, is owned as an association of the top five global card issuers. Today, of 8.2 billion cards in circulation, 75% have a chip. But as we know pins can be stolen, hijacked and hacked.
Now, the online age has brought a wave of user-focused businesses seeking to lay claim to authentication through user data. PayPal, Amazon, Apple, Google and Facebook, among others, offer Single Sign On (SSO) features or complete customer “walled gardens”. These features allow users to make payments or access multiple applications and services through a single set of credentials.
Think of it this way, if you had to give your entire credit history and identity as well as your recent travel and hotel data to an airline before you could fly, would you do that? And yet many companies online now “own” that data and use it to authenticate (and to market you as a product) within their network or partner companies.
Leveraging user data for authentication comes with a cost
As authentication becomes so fundamental to how we engage with the world, some companies are making a claim for it. In fact, it’s part of a long tradition of leveraging user data for authentication. And while the holistic, unified authentication environments these companies offer are convenient for consumers, they come at the cost of user privacy. In addition, user data can be exposed. Last year alone more than 400 million user identities were hacked.
Google sign-in is free of course. But it also tells them at every step what you’re looking at and where your interests lie. But it sure is convenient! Today a true land grab is taking place to be the gatekeepers of #DigitalIdentity, to keep users (and their reliably monetisable data) within proprietary environments. Authentication as such is a “ticket to play” and should be open, transparent and movable. You shouldn’t be forced into a single company’s ecosystem of products and services simply because they hold your data.
As a result, every non-customer is treated as a risk. If you fail to meet their authentication requirements or break a rule by mistake, you can have your card, account or funds blocked indefinitely while you try to prove who you are. This even affects some of the more modern neobanks and payment platforms. The business effectively owns authentication for its users, as well as the personally identifiable data that comes with it.
To put a number on the value of authentication, it is sufficient to look at Twilio, a key actor in the One Time Password (OTP) and 2FA space. Twilio, founded in 2010, convinced key payment players of the gap in the authentication market and thereby realised its potential. It was able to attract investment of $103 million and began buying data companies and companies specialised in authentication, such as Authy, and becoming the global leader in the market worth over $45 billion – that’s more than 45 unicorns!
Behavioural Biometrics as an additional layer of defence
At Cybertonica, we’re building authentication, based on the notion that the process should be risk-based and probabilistic as well as real-time and adaptive. We are using #BehaviouralBiometrics and transactional data, analysed in real-time, to preserve security without sacrificing privacy. This can lead to the establishment of an anonymised (or at least “semi-anonymised”) data profile without collecting any personally identifiable information.
For example, our Behaviour ID™ solution collects device-level behavioural data and automatically generates an encrypted token-based on the values from your device together with distinct patterns from your actions (not your identity). This allows the authentication to become tokenised and therefore independent of your private data.
You don’t have to buy into Cybertonica’s ecosystem or services. In fact, most customers we interact with will never have to submit any form or send us any personally identifiable information (PII) data. Therefore, nothing of what we sample can be used for any other purpose.
Imagine a snapchat for identity – once we have confirmed the real-time verification, it is used only to match your future behaviours and then its contents disappear. How can a fraudster then take over the identity of an encrypted real-time phantom of your data? Well, they can not. That’s our whole point.
By knowing and showing less, your transactions are frictionless and your privacy is not compromised. The #merchant receives real-time (in less than a second!) and 99% risk-based authentication and has more happy and safer customers.
What’s more, the user experience is enhanced. And with your permission you can automatically skip the queue and the hassle of #SCA. Overall, online transactions become more secure and stakeholders more confident about operating even across borders or in CNP transactions. We are at a crucial point in the history of authentication. Changing regulatory requirements, the importance of access to health data, and the rapid increase in global online buying are setting the course for the future. That’s why we are working on new products, to make seamless services and low risk part of tomorrow’s digital interactions and transactions. We Trust in Transaction.
Get in touch with our expert fraud team now to find out how Cybertonica can help future-proof your business!
Have you read our blog about COVID-19 fraud, hacks and scams? Read here to find out how fraudsters are surfing the ‘fear-wave’ to attack online commerce and customers.