It’s the 21st century marketing mantra: Never underestimate the power of ‘smart.’ We have ‘smart’ phones, ‘smart TVs’, a ‘smart’ doorbell and yes, even a ‘smart’ dishwasher. What about ‘smart’ authentication?
Multifactor authentication strategies, while rising in popularity continue to be dogged by the tradeoff of usability and security. In other words, if authentication solutions are not simple and convenient, users will not accept them. Which is largely the reason so-called ‘smart’ authentication strategies that contextualize user behavior by comparing patterns of behavior interpolated by sophisticated algorithms have emerged to produce more secure as well as easy-to-use experiences. This includes continuously monitoring and scoring — in real-time — the way users interact with their computers and mobile devices via mouse movements, keystrokes, and gesture dynamics.
Additionally, since the authentication occurs transparently, neither users nor hackers are aware they are being ‘forensically monitored’, and have no “out” to game the system.
Leveraging this contextual data to authenticate a user involves analyzing patterns to evaluate if they match behaviors historically reflected by the user or account holder or, significantly, if they directly correlate with known hacker activity.
For example, if the user’s device accessing an app is geographically located in an area known for hacker activity, rather than the home or office location of the user or account holder, access can be blocked or step-up authentication invoked. Further, if a request to access an account does not originate from a phone associated with the user’s phone number already on file, access can likewise be restricted.
That’s not to say that multi-factor authentication will eventually result in diminishing returns. On the contrary. If the system detects an anomaly in the user’s behavior pattern, additional authenticators (i.e. the use of a one-time password [OTP]) could be required before access is granted. As a result, users authenticate themselves only when their expected patterns of behavior change, thereby improving the user experience and amplifying the value of a security strategy that’s both convenient and easy-to-use.
The takeaway? A user’s behavior may change, but the user remains the same person.
So, has contextual authentication and behavioral biometrics entered the early adopter stage, on the verge of becoming mainstream or hovering somewhere in-between?
Practically speaking though, how is ‘smart’ authentication being received in the real world? Glad you asked.
“For mobile banking apps, this is a significant development, as Financial Institutions have traditionally struggled with balancing convenience and security for their mobile users”, – says David Vergara of VASCO, one of the cyber security companies serving financial industry. “As passwords become obsolete, no longer perceived as convenient when it comes to mobile security, users are looking for something they commonly refer to as “invisible”. Essentially saying, “make it secure, but don’t trouble me with it”, – continues Vergara.
In this new “age of the customer”, it may very well be that a multi-layer approach, inclusive of behavioral biometrics, device recognition, and mobile app ‘security wrapping” present the most secure foundation on which to build positive customer experiences.
Read more about “invisible” mobile banking security and how to build a frictionless user experience (by VASCO).