Strong Customer Authentication
Businesses sometimes have a tough row to hoe when it comes to securing customer data. In many cases, customers themselves can be the biggest obstacles to securing data, yet it is the business that often suffers the most when customer data is stolen or accessed without proper authorization. Every year, the company Splashdata publishes a collection of the top 100 passwords culled from the dark web. No matter how many times consumers are warned to create strong, secure passwords, the passwords "password" and "123456" have firmly retained the top one and two spots for the past five years.
With customers themselves so stubbornly resistant to securing their own accounts, it falls to businesses to protect the data their own customers won't. As a result, many businesses are instituting strong authentication policies that rely on far more than just a login ID and a password. Strong customer authentication is sometimes referred to as two-factor authentication but in truth most customer authentication protocols are actually multi-factor authentication procedures.
What Are Authentication Factors?
In addition to requiring the standard login ID and password, strong customer authentication requires customers to authenticate their credentials in a number of ways. Generally speaking, strong customer authentication requires verification from two or more of the following factors:
- Something you have: This can include the device that customers generally use to log in from or it can also include something the customer controls like an email or cell phone account.
- Something you know: This can include your login and password but it can also include answers to pre-arranged security questions or personal information such as the last 4 of your social security number or your banking PIN.
- Something you are: Most modern devices contain some type of biometric scanning such as a fingerprint scanner or facial recognition software. The use of behavioral biometrics is also on the rise, but has not become mainstream just yet. The time may soon come when how you swipe your phone or the specific pressure you use to type in a code (as well as which hand you use) will also be used as authentication methods.
- Somewhere you are: Geolocation services can determine at least the rough geographical area where a customer generally logs in from. If that changes, it can trigger secondary protocols.
How Does Strong Customer Authentication Work?
By now, most people have become familiar with the idea of simply holding a smartphone up to their face and having it automatically log them into their accounts. To them, this may seem like single-factor authentication, but in truth there are a number of unseen factors in play. The first authentication factor (the one they are aware of) is facial recognition software (something they are). That facial recognition scanning, however, unlocks a previously entered login ID and password (something they know). The system recognizes the IP address of the device they are logging in with as one belonging to them (something they have) and that the basic geographical region they are logging in from is one they generally log in from (somewhere they are).
If any of these factors change, such as the geographical area the customer is logging in from or the device they are using, it can trigger secondary protocols. In that case, the customer may be asked to enter a code sent to the email address or phone number on file or they may be asked to answer security questions in order to gain access to their account.
Multi-factor authentication has become so successful at securing customer's online accounts that it has led to an increase in phone fraud. The issue that most businesses have is that customer service agents are trained to meet the needs of the customers not protect their accounts. Therefore, their primary agenda is to help the customer in any way they can. This can sometimes include actually providing them with information they should be asking for or accepting partial information as complete. Another problem with telephone authentication is that it often relies on personal information that is all-too-easily accessible now, thanks to a number of high-profile data dumps on the dark web. Where social security numbers were once sacrosanct, the last four digits of almost anyone's social security number can be had for a few dollars at most and the same is true of personal information such as someone's address and phone number.
As a result, many businesses have started to institute secure protocols for customer service lines as well. Some of these protocols include sending a text to the customer's cell phone or requiring the agent to enter a PIN the customer sets up in advance before they themselves can access any of the customer's information. In this way, they can authenticate the identity of their customers via phone in many of the same ways they do online.
iovation is a leading provider of strong customer authentication solutions to help companies detect and prevent online fraud.
Ready for the next step?
Provide your good customers with a sleek, speedy and secure login experience. Choose invisible device-based authentication or multifactor methods that adapt based on a perceived threat.
See More Resources