Checking that a user is who they claim to be whilst they are online is the fundamental basis of cybersecurity. We’re all used to being authenticated at some point in our online journeys, whether it’s through a password login, or an OTP sent to our phones when we’re attempting to make a transaction.
Why do we need continuous authentication?
The more authentication checks there are during an online session, the more secure against fraud attacks it is, for both the bank and their customer.
This is why Strong Customer Authentication (SCA) is required under EU financial regulation PSD2, where users must present at least two separate factors of authentication.
These factors must come from at least two of the following categories: something the user is (inherence), something they have (possession), and something they know (knowledge).
However, it also follows that the more checks you require the user to go through, the more frustrated and dissatisfied they will become at the process, and the more likely customers are to even give up altogether.
McKinsey reported that during the global pandemic, more than one in five banking customers in Spain and Britain tried online banking for the first time. It’s the same story for retail bank customers around the world.
So, with a huge amount of competition already existing between the many players in this market, and a post-pandemic landscape seeing a huge shift towards online banking and contactless payments, banks cannot afford to lose out now due to a poor online customer experience.
Current ID checks not stringent enough
In addition to the poor user experience that might be created by multifactor authentication (MFA), traditional authentication methods, such as those discussed above, may no longer be rigorous enough to comprehensively protect users from fraud attacks.
Methods of authenticating users, such as the traditional password login, are fast going out of date.
This is for two reasons:
- Phishing attacks, the most common type of social engineering fraud and the oldest trick in the book, consistently succeed at swindling users out of their login details.
Plus, any corporate data breaches can result in the legitimate usernames and passwords of thousands of customers ending up for sale on the dark web. (Read more about this in our blog on passwordless authentication.)
- Fraudsters are constantly coming up with other, more advanced methods of circumventing the online authentication methods designed to stop them, such as remote access trojans (RATs), which cyber-criminals use to seize operational control of a user’s device after they’ve logged in, or injections of malware mid-session.
If a user’s identity is only verified at one-off instances during their online session – at the moment of login or transaction – this does not protect them against account takeover (ATO), where a fraudster hijacks a user’s account midway through their session using these techniques to avoid the authentication moments.
What is continuous authentication?
By analyzing users’ behavioral biometrics – such as the way a user moves the mouse, the speed and rhythm with which they type and the angle at which they usually hold their phone – a unique profile can be created for every single user based on thousands of parameters surrounding their online interactions and behaviors.
This means that an anti-fraud solution founded in behavioral biometrics can compare a user’s behavior against their entire online history to check ensure that they are who they claim to be.
This analysis can produce a risk score in real time relating to the level of threat to the user or their account’s security.
And by comparing the user’s behavior against their own profile, rather than against clusters of ‘good’ or ‘bad’ users or behaviors, this sort of solution can become extremely accurate to each user, and avoid generating false positives or negatives.
Again, the important idea is that this occurs continuously, throughout a user’s entire online banking session, from login to logout, meaning they are protected them from both ATO or fraudsters attempting to use legitimate, stolen credentials to gain access to their account.
A frictionless user experience
The biggest advantage of continuous authentication for banks is the frictionless user experience it facilitates. The technology delivers passive protection, working behind the scenes to analyze the user’s behavior throughout their entire online session.
There is no active requirement for users to input any information except their login details.
Plus, one of the two factors of authentication required under PSD2 and SCA – in behavioral biometrics’ case, the factor of inherence – is carried out invisibly to the user, meaning the user experience is actually tangibly improved by the introduction of continuous authentication.
And risk scores being generated in real-time means that the level of threat to security can be assessed by the bank, before the level of security and number of authentication checks is altered to reflect the level of threat.
The security can then be stepped up to ensure the user is who they say they are or – importantly for promoting a frictionless user experience – de-escalated, to remove hurdles from the path of a legitimate user, or even to avoid blocking a legitimate user from their own account altogether. And this can all occur during the same online session.
Continuous authentication: dynamic fraud prevention that leaves the user uninterrupted
Continuous authentication facilitates banks’ compliance with financial regulation, is more secure in its protection against fraudsters, and is extremely accurate, as deep learning technology means a behavioral biometrics-based solution can become more accurate every time a user logs in.
With passwords potentially on the way out, the quest for the most frictionless user experience continually underway, and the PSD2 deadline to implement SCA looming, it’s safe to say that the ability to verify users’ identity seamlessly in the background while they’re online is going to be of paramount importance in the not-too-distant future.