Authentication has become an area of ever-increasing importance in the battle against fraud for merchants and fraud vendors. Online commerce’s long battle for new customers has often been facilitated at the expense of properly validating the identities of those that have signed up. The ‘frictionless’ buying experience has come the cost of security.
Experience has shown that decoupling accounts from real identities opens up a rich playground for fraudsters. The increasing frequency of account takeover, voucher abuse and payment fraud in e-commerce can be directly linked to the inability of the industry to effectively associate an account with a real identity or effectively spot when that identity has been compromised. So what can be done?
Changing face of authentication
Authentication is the process of authenticating someone's claim to an identity. Recent PSD2 legislation has neatly laid out strong customer authentication as someone having at least two of the following claims to that identity:
• Something you have (e.g. device, USB security key) • Something you know (e.g. password, mother’s maiden name) • Something you are (e.g voice, biometrics, iris scan, fingerprint)
Largely as a result of innovation in the financial sector there are a host of clever emerging technologies that consumers are becoming exposed to through our mobile phones, online banking accounts and other areas of identity innovation. None are perfect. All can be breached by a determined enough fraudster. However, they probably cannot be breached at scale, or at least not yet. However, each of them require a level of user engagement that is not realistic for most businesses and certainly not as a first step.
For instance, to access the features on my mobile device I am willing to provide a fingerprint. As a second factor of authentication to access my Macbook, I carry around a USB security key. To access my online banking I use a one time password generator. However each of these are things I need to do my job or to function in my life.
Would I be willing to carry around a key to order a pair of sneakers from a site I use twice a year? What if I want to place a bet on horse race starting in two minutes and I am asked to to recover an SMS message sent to my phone to validate who I am? Not likely to use that site again as I watch a horse I wanted to bet on ease home without my money on it.
An example of a USB security key
Smarter Authentication: right person, right time, right challenge
The issue in the industry right now is that authentication is either too lax or too stringent. Where it is too lax, it’s because the merchant wants to absolutely minimise the friction from sign-up to purchase. And even after registration the ability to re-login is as easy as possible.
Where it is too stringent, companies have either been forced to or have decided to add in multiple registration steps and hoops resulting in a horrible customer experience and/or a failed business.
Where the industry needs to get to is developing smarter authentication, where we challenge appropriate users at the appropriate time with the appropriate challenge.
Machine learning has a significant role to play here in suggesting who the appropriate users to challenge are, at which point in the user journey and with the appropriate challenge. The era of “one challenge fits all” is over.
Most merchants have the data within their systems to see patterns amongst their users to tell them which are risky and the degree to which they are risky. This is fertile ground for building algorithms that can suggest when a user requires additional security.
At Ravelin, we have an increasing number of clients who use it to invoke a 3D Secure challenge for certain markets under certain conditions. In the past, these orders may have been rejected due to the fraud probability. Now however, there is the opportunity for a legitimate customer to continue with the purchase.
The vast majority of users never see this challenge, which is critical for ensuring that for most people the frictionless buying experience is intact. There is no value in challenging good customers due to poor data use.
3D Secure is only one kind of challenge, of course. And fraud risk is only one potential reason to invoke a challenge. Suspected account takeovers are a growing issue so a challenge based around confirmation of ownership of a device is a strong method to deter this issue.
We are only starting to uncover the possibilities here in terms of anomaly detection that will indicate an at-risk account. The good news is that the increasing availability and consumer-familiarity with these authentication challenges means we can make really secure experiences increasingly frictionless too.
So the technical pieces are in place to build a smarter authentication process into our online commerce practices. We understand the problem set and are confident that we can build models that will identify those customers who require challenges. What we need is increased adoption and experimentation of the options available to make ecommerce both safer and smoother for all genuine users.
And it’s increasingly apparent that we have to. The inability to authenticate online identities risks undermining the credibility of online commerce itself - a vista too dark to contemplate.