The entrenched divisions between identity proofing, user authentication and fraud detection – once an efficient separation of roles and responsibilities – is fast becoming a liability in the digital business environment.
That’s the thesis of Gartner’s new report: “Take a New Approach to Establishing and Sustaining Trust in Digital Identities.” It’s a must-read if you’re responsible for Identity and Access Management (IAM), Fraud Prevention, or Identity Proofing in your organization.
Historically, identity proofing, user authentication and fraud detection have been isolated activities and disciplines. Fraud was reactive, executed by its own department. In contrast, IAM (further divided into identity proofing and user authentication) focused on moments of initiation: the creation of an account or the precursor to a transaction.
These functions grew up separately in large part due to their funding: fraud prevention originated with a physical loss prevention team and was funded from a risk budget. IAM came much later as digital access overtook physical access. In addition, each group dealt in different time frames: fraud operated on previous transactions, IAM operated on a real-time basis. (Now they both operate in real time, but often act as if they’re in different “philosophical time zones.”)
As a natural consequence, the arc of a visitor’s experience –- from account creation to authentication to fraud review –- was punctuated by pauses and stripped of context.
Context? Yes, today a user’s account will only include a single identifier, unique to the system, and a set of attributes relevant to the system. Hundreds of contextual indicators –- identifiers, attributes, preferences, behaviors and histories –- are ignored. This additional information wasn’t immediately valuable to any one function, so it was left out.
That must change. Why?
For a start, the conventional practice of issuing and managing user accounts and credentials is becoming optional. Anonymous visitors may engage with your organization as guests. A hacker may access a user’s account with stolen login credentials. Both scenarios bypass the conventional approaches to identity proofing and authentication at login, and require more flexibility from the organization.
What’s more, fraud detection now operates in real time, as we stated earlier. As we’ve been showing on this blog for years, a device serves as a proxy for its user. If the device has a reputation for poor behavior, then you have reason to treat it with caution, even in the first milliseconds of your first encounter.
So, the time has come to break down the now-arbitrary divisions between identity proofing, user authentication and fraud detection. Blend their complementary insights for smarter, faster decision making. Extend the palette of identity assurance from a series of disparate parts into one continuum that includes ongoing identity proofing and user authentication, enriched with continuous fraud detection.
Fraud tools for identity proofing, and vice versa? Madness. Bring IAM and fraud leaders together to collaborate on overlapping requirements and responsibilities? Unheard of.
Yes, it runs contrary to conventional wisdom, but we’ve departed from ‘convention.’ It’s time to rethink historical divisions that may no longer serve your customers or your organization.