Why Versus How: Evaluating the Reason for the Authentication to Determine the Best Method
There seems to be much variation in how the authentication of individuals is accomplished. There is no single solution or approach as the need for authentication varies, the level of veracity required varies, and the available authentication methods vary. It is a three-dimensional problem. Choosing the right solution and technology is aided by looking at these three dimensions and using them as a means of triangulation.
Perhaps the single most crucial baseline factor is the risk associated with authentication. For example, there is a significantly different risk associated with authenticating someone to use YouTube than providing access to a financial account. This is an excellent place to start when determining the veracity, security, and acceptable user experience. This is not to say that better veracity and security should not be considered in all cases, but if ease-of-use tradeoffs are being made, the risk profile is paramount.
The need for authentication has several factors that should be considered. Is it a one-time authentication, or will it be required more often than that? Examples of one-time authentication may include digital payments to a company, entry into a confidential virtual meeting, or digital signing of documents. Access to financial accounts would require recurring authentications, as would other examples like access to confidential data in a work environment.
The third factor is the available means of authentication. While using a mobile phone or a desktop PC with a camera and other sensors opens a broad range of authentication technologies, using a landline phone or a chat session may be more limited. In fact, natural friction is introduced here because enterprises may want to allow a customer, user, or employee to do as much as possible with any available communications channel but may be forced to trade that off against acceptable risk.
Evaluating these three dimensions, let’s explore a few examples to illustrate how these factors have been considered, some issues with those considerations, and the road forward. Perhaps the most pressing examples are those that involve financial transactions.
Let’s start with a simple example of a credit card payment. It is common practice in today’s online and even the landline voice world to provide credit card information, including CVV and ZIP code, to complete purchases. These are referred to as “card not present” transactions as the physical card is not physically scanned, the security chip does not play a role, and sadly, almost anyone with this information could use the card fraudulently. The only authentication being done here is matching the CVV and possibly ZIP code belonging to the card. This is seen as an acceptable risk because the percentage of fraud is simply considered a cost of doing business. Billions of dollars stolen over a trillion dollars in transactions spread the cost to everyone in higher credit card fees. A one-time authentication of the user with a credit card scan and a driver’s license scan using a high-resolution camera on a smartphone could mitigate this problem. The real question to be answered is, would an enterprise be willing to forego transactions with 10-15% of customers not possessing a smartphone?
For a financial account, it is common practice today to have voice callers authenticate using knowledge-based authentication, where several questions are answered to authenticate the customer. Most financial institutions these days require multi-factor authentication, like a 6-digit code, PIN number or a liveness check, all of which may help a little bit, but are not sufficient for a number of reasons that I may cover in a future blog.
It is common practice amongst fraudsters to gather enough information about the target customers to pass these hurdles. To avoid this, a recurring equally high veracity authentication mechanism would be needed. In this case, a customer could enroll in biometric authentication (more than one factor is possible, for example, voice and facial) using the same technology as the high veracity one-time authentication described above to prove their identity and to enroll their biometrics. A smartphone with suitable sensors would also be needed in this case. All future transactions of significance would require this high-veracity biometric authentication.
At the other end of the spectrum, when is less stringent authentication OK? This partly depends on which side of the fence you are on. For the enterprise, less stringent authentication may be acceptable if the risk to the enterprise is low. The YouTube example above may be such a case. For the end user, the risk may be measured by how much personal information the enterprise has and how a bad actor could use that information to harm the individual. There may be no risk to the enterprise if a fraudster obtains an end user’s address. This is not the case if a fraudster uses this information and other “harmless” data collected in other ways.
Authentication is not a one size fits all proposition. Veracity varies, privacy varies, and user experience varies. Understanding the risks, the user experience tradeoffs, and the tools available when choosing the proper authentication solution is essential.