Nobody can argue that December 7, 1941 wasn’t truly a day that would “live in infamy.” Americans who were alive at the time still remember the sinking sense of loss and despair as we were pulled into a conflict we'd tried so hard to avoid.
But not everyone felt that way. The citizens of the British Empire, attacked that same day in Singapore, may have even breathed a sorrowful, collective sigh of relief. They would have known they were no longer on their own, and that their lopsided conflict would soon see reinforcements by the millions.
What seems catastrophic for some is often relief or even new hope for others.
When the European Banking Authority, pursuant to PSD2’s Article 98, published its final draft on Strong Customer Authentication standards (SCA) this last February, US merchants had a bit of a Pearl Harbor moment. After all, it was just three months earlier that the global analyst firm Gartner had updated its Market Guide for User Authentication to include these insights:
- “Gartner clients identify user experience (UX) as an important selection criterion across all use cases…”
- “UX improvement also drives interest in contextual/analytic and adaptive approaches beyond online fraud detection in banking … ”
- Clients should “seek user authentication methods that best provide the necessary balance among trust (authentication strength and accountability), TCO and UX…”
In an industry driven by constant demands for more frictionless, more pleasurable, less troublesome online experiences, the PSD2 mandate seems certain to move the needle the opposite way.
What’s more, the General Data Protection Regulation (GDPR) is also taking root in Europe, and while it’s focused on data privacy, it speaks clearly to the need for strengthening authentication rather than easing it:
- “Consider multi-factor authentication, especially for remote access. Without putting a burden on the employee, nowadays, the second authentication can be a fob plugged into the device or through the presence of a corporate mobile phone…”
How can stronger authentication NOT conflict with goals for better user experience? Especially when considering the authentication experience of millions on millions of external customers, rather than hundreds or even thousands of internal employees?
The trick to balancing the endlessly competing needs for stronger authentication and better experience is Dynamic Authentication. Dynamic Authentication combines strong authentication solutions, like iovation’s LaunchKey multifactor authentication, with transparent real-time device insights that can highlight risk and respond appropriately to trigger more robust authentication factors when needed.
Dynamic Authentication is Contextual, Continuous, and Complementary
Dynamic Authentication is:
- Contextual: Dynamic Authentication is able to look at a user’s request for access in full context. For example:
- Has this user’s device been jailbroken or rooted?
- What type of transaction does the user wish to complete? This may trigger an authorization process.
- How many applications are on this supposedly “mobile” device?
- Is the real IP address for this transaction similar to the one being reported by the browser?
- What’s the CPU speed and the kernel version?
- Is the SIM operator ID and SIM country consistent with what the location services report?
- Continuous: Dynamic Authentication is not just focused on login points, but can be applied to the entire customer journey. It can respond to rapidly changing risk signals -- not just at the front door, but anywhere in the house.
- Complimentary: An important facet of Dynamic Authentication is the need for disparate authentication technologies to work together, hand-in-hand, as the system makes decisions about which method suits the risk/request scenario currently being faced.
Authentication standards like FIDO can address some of this as well, as this article in The Paypers recently pointed out. But what FIDO will provide some day is available now in next-generation solutions like LaunchKey which already provide decentralized architecture, asynchronous cryptography, and forward secrecy principles.
What’s been missing is the urgency and the need to bring these solutions to play in today's consumer environment (because, after all, if it’s not broken, don’t fix it). While these new standards may cause some collective angst, they may also pave the way for new innovations.
December 7 was a dark, dark day. But in the same way that the attacks on Pearl Harbor and Singapore sparked America’s engineering creativity, nascent industrial might, and an Anglo-American partnership that thrives to this day, these new payment and privacy standards – along with the challenges they present -- will inspire the current generation of solution architects, user experience engineers, and product owners to build some fantastically enjoyable yet surprisingly secure online sites and services.
- Hear firsthand about Dynamic Authentication by joining our London Authentication Mixer event, on May 18 following our London Fraud Force Summit. You'll hear more on trending authentication topics as you partake of cocktails and nibbles at London's famous 58VE.
- A new iovation white paper on the topic of Dynamic Authentication will be posted on our resources pages soon, explaining in detail how next-generation authentication systems can provide both robust multifactor security and contextual, adaptive, frictionless authentication in one end-to-end solution. Check back here for a link.