The way we pay and do banking is changing with new technologies and the increasing authentication possibilities. Banks should choose a strategy to be ready for authentication. Because the whole industry sees opportunities in this space, there is also an explosion of new technologies, tools and start-ups, with new products and services being created every day.
The ideal goal of every payment implementation is to set the right balance between security and convenience. An essential ingredient in the commerce value orchestration, is the ability to authenticate consumers and the payment instrument he or she provides during a transaction. Therefore, there’s an ongoing race to excel in the ability of authenticating customers, by deploying state-of-art solutions to enable this.
To realize different authentication concepts, a mindset change is needed for traditional banks. In a fast-changing world, the architecture of banks will need to become more open and flexible.
Let’s look over the basics.
So, what is authentication? Authentication is the process of determining if an entity is, in fact, who he/she/it claims to be. In the banking industry the concept is widely used. Nowadays, solutions to the authentication need are becoming more and more innovative. Banks have to prepare their authentication strategy for the near-future, where both sufficient authentication and a seamless user experience will be ensured.
Why do we authenticate?
We are so used to authentication at some point in our daily lives, that it may seem unnecessary to discuss why authentication is so important. Do you use a password to access you mobile phone? Do you need a key to access your home? Are you asked for a password when accessing internet banking? The answer is usually yes. The level of impact if we didn’t authenticate would be substantial; authentication methods are usually applied accordingly to the risk associated with an unauthorized access.
Online banking
As banking has moved from the physical to the online world, the authentication methods also need to be compatible with the online environment. Users need to be authenticated prior to accessing online banking services. To do this, banks still rely on username-password combinations, applying additional authentication methods during the journey as his or hers actions become more critical.
In-Store payments
Usually referred to as “card present” transactions, these transactions allows banks to authenticate both card and cardholder, respectively through the usage of Offline Data Authentication mechanisms and dynamic cryptograms, and cardholder verification methods. Through a proper validation of the authentication results for both card and consumer, banks can securely proceed with transaction authorization.
Remote payments
These are often referred to as Card Not Present (CNP) transactions, where end users provide proof that they are the rightful owner. With online payments, the balance between secure authentication and providing a simple user experience is more delicate due to competing technologies already present in the market. Traditionally, the end user only needs to provide the (credit) card number together with a (static) three or four digit card cryptogram, sometimes enhanced with the cardholder name and registered address of the issuing bank. Since this static data can be copied, this process has been amended and CNP transactions are often enriched with 3D Secure Verification as an additional step, which is provided by the main payment schemes. EMVCo is also now responsible to include recent innovations and develop the 3D Secure 2.0 specification, with the objective of improving the security when using smartphones for online transactions for example in-app, Android Pay, Apple Pay.
Customer pull
As customers are becoming increasingly educated with regards to mobile payments, they start to share their trust with new actors in the ecosystem. Browsing the internet with a smartphone is quickly becoming ‘the new normal’; the caveat in this scenario is that end users will not necessarily care about the technology used to pay or to authenticate to a banking application, as long as the process is easy, fast, results are successful and is (perceived to be) secure. Many will not see the difference between a complicated mobile payment/banking app and the simplest game app and will expect the same reliability, convenience and speed.
Regulation
In such a dynamic environment, governmental bodies are stepping in to make sure the game is fair to everybody. In Europe, the EU Directive on Payment Services PSD2 was recently passed by the European Parliament. This directive eases the path for non-traditional actors to provide access to the (bank) account of consumers. New rules have been designed to allow access to payment account information via third parties. At the same time, the strength of end user authentication performed by these third parties needs to be guaranteed.
In some other countries this is not done by formal regulation, but we see a self-regulating market. E.g. in Australia, the Australian Banker’s Association (ABA) has developed guidelines for electronic banking, security and authentication practices to be chosen. This is impacted by the 2014 Customer due diligence law, which mandates all reporting entities to identify and verify each of their customers, for broader risk considerations.
User experience and security are often on opposite ends of the scale. As the offer of new online services increases, consumers are forced to remember a larger number of username/password combinations and to have several OTP generators on their keychain, depending on the authentication method requested by the service.
In that sense, the traditional mindset of requesting strong authentication for all steps or actions taken by an end user during his journey in an online service is not scalable for two main reasons: Firstly, in order to remember the passwords for all his services – just think how many we’re required to memorize – PIN’s, usernames, passwords, telephone numbers, the list goes on! Average users may write down these passwords somewhere, or reuse the same password for multiple services. Secondly is the fact that consumers are getting every day more mobile which creates the need to have information accessible with the smallest number of clicks/taps as possible. Therefore, requesting strong authentication to have access to basic information is harmful to the user experience.
Risk based authentication:
An increasingly used concept is risk based authentication. Knowing that different operations have different risks and that user experience is a critical factor for success for the new generation of online consumers, banks and other online service providers should realize that a much better user experience can be achieved if focus is not only given to “how” end users are authenticated, but also “when” they are authenticated with a certain level of assurance.
Although risk based authentication is presented as a very promising alternative to the traditional mechanisms, its results do not guarantee authentication accurately, as it is mostly based on probabilistic frameworks such as behavioral biometrics or device characteristics. Therefore, it is essential to assign the correct level of assurance to the authentication method. Using money transfer as an example, the level of assurance provided by risk based authentication can be assessed as sufficient, to enable end users to transfer money up to a certain amount. While above this threshold, end users will be requested to step-up their authentication level by using a stronger authentication method.
The authentication possibilities are increasing continuously and it is important that banks choose a strategy which is future-proof.
We have identified three concepts, which you, as a bank, need to consider when determining your authentication strategy and ensure you’re ready for the future:
Click here to read all about these concepts in our recent whitepaper on Authentication.
To realize each of the three concepts and in conclusion, the following mindset and architecture changes need to be accomplished; with this, we assure you that you have the winning formula: