Adaptive identity authentication is the process of tailoring each customer authentication to the specifics of the request. It involves calibrating multiple sets of risk indicators to determine the type of authentication needed, and how strong to make it.
Adaptive identity authentication is increasingly important. Customers want to start and finish their interaction as quickly and easily as possible. Financial institutions meanwhile want to ensure that the user really is their customer to an appropriate level of confidence, but without inconveniencing them too much. This is the dilemma, especially for those that are reliant on digital interactions.
Confidence is Key
This authentication – proving that the user is the same customer as the one who enrolled – is different from knowing who they are; their name, date of birth, mother’s maiden name, etc. In principle it’s a simple test: “Is it the same person as my customer?” In reality, the ideal question is “Do I have enough confidence that this is the same person as my customer?”
This sounds more complicated, and it is, but it’s also more powerful. Without real-time DNA testing there is no 100% certainty that the person presenting themselves is the same as your original customer, but you have to be certain enough of their identity to meet the circumstances and understand the risk that the transaction represents.
Risk Indicators
Defining and identifying risk indicators is important for each activity a customer might want to do. Over a dialogue with a customer, online, or in person, it’s possible that step-ups in authentication may be required. These cover different areas including:
Interface - The point of access for the customer including branch, kiosk, merchant terminal, mobile device or PC. Compromise could be by malware, theft or other techniques.
Communication - The communications between the point of access system and company systems. In person it is relatively secure, but customers may be coerced.
Behavioural - The way a customer uses a device, a payment system or product, or their account. Each can contribute signals to identify “out of character” activity.
Transaction - The specific action a customer wants to authenticate. This includes making a payment, changing their address, adding a new authentication mechanism or downloading their data. The data defining the transaction represents separate risks - for example, the risk that the customer is paying a fraudster, not their intended payee.
Contextual - The threat landscape which the institution or industry is experiencing, including known attacks. In some cases, these will be technically defined, in some cases related to social engineering and in others these contexts will be patterns of activity that indicate a higher fraud risk, for example, changing an address and requesting a new credit card.
Available Methods - The authentication mechanisms available to the institution and the customer at the point of authentication. This may be a restricted set depending on where the customer is and what equipment they have with them. In some cases, they may be unable to reach the necessary level of confidence, so being able to delay transactions for later execution may be important.
Confidence Required -The level of assurance the institution requires that the user is their customer. This will dictate in many cases a set of methods which could be used.
Compliance - The legal and regulatory rules around what authentication methods are mandated - for example, rules around contactless and e-commerce payments and legislation implementing Payment Services Directive 2 in Europe. This may also mean that a transaction sucs as a low-value payment could be exempt from authentication.
Managed Risk
The combined risk that the user claiming to be the customer is the customer must be less than the risk of the transaction (and any implications of that transaction).
For example, If you buy a bottle of soda and a newspaper using a contactless card payment, the transaction risk of £3.50 is low and so are the authentication requirements. If you buy a second-hand car for £7,500 using a card, the risk is higher and so the authentication method should be stronger. If you change the address on your account (which could lead to further frauds and losses), the authentication method should be very strong.
Where can businesses get guidance for their policies? In addition to general guidance from NIST, ENISA and the NCSC, the British Standards Institution has recently published a code of practice on Digital Identification and Strong Customer Authentication which covers the components of a risk model for transactions. These sources can help ensure a holistic and adaptive approach to the authentication risk.
In short, adaptive authentication is about common sense: match the risk of the transaction, including its implications, to the risk that it isn’t the customer doing it. The only difficult thing is making sure you have all of your risks identified, based on reliable and real-time data.
Adaptive identity authentication includes the orchestration of all methods of authentication, including biometrics. For more information about how biometrics can be integrated into a comprehensive solution that helps you to achieve truly adaptive authentication, read our white papers:
