Traditional methods that identify customers online through personally identifiable information (PII), such as social security numbers, passwords, signatures and account credentials have all been rendered obsolete by the avalanche of data breaches, that since 2013, equals more than 9 billion records exposed.

Half of all adults in the U.S. have had their personal information stolen, opening the door for hackers to open lines of credit in someone else’s name, or to steal money, products and services.

Fraudsters no longer need to know scripting languages, database structure or commands to affect an attack. Anyone with a few bitcoin can mount an attack that previously required technical know-how and prowess.

A password written on paper
Adobe Stock

This shift has dramatically increased the number of accounts compromised, and the number of attackers compromising them. This dangerous wild west scenario is pushing improving or revamping online authentication to the top of this year’s to-do list for both online companies and governments as well.

The challenge is to come up with an authentication framework that will not only identify legitimate customers online but also do it easily without frustrating consumers. Using just one identifier is doomed to failure. For example, if a user is authenticated only by looking at the device, IP or location and that user travels out of town, it might be construed as a fraudulent transaction and blocked based on location. That is not convenient for loyal customers who have accessed accounts for years and then blocked while on a business trip or vacation.

On the flip side, cybercriminals are pros at spoofing IP, device and location information. In the end, companies might be letting fraudulent transactions go through while penalizing good customers. That is not a balanced equation that leads to business success.

It is time for online companies to extend a virtual hand to customers by rendering static information such as passwords, credentials, SS/SIN numbers and Motor Vehicle information more valueless to cybercriminals and identifying customers by multiple layers of identification requirements but importantly, those layers that include their behavior — something that cannot be replicated, stolen or spoofed.

It is known as dynamic intelligence that employs passive behavioral biometrics and can track and analyze hundreds of identifiers, for example: how the users hold the device, how hard they press the keys or how fast they type, to name a few of the hundreds of data points that can be monitored and analyzed.

Dynamic tools such as behavioral analytics and passive biometrics can also be combined with a layered defense and other biometric tools such as facial recognition, fingerprints, retinal scans, voice prints and more. While no tool is infallible, the layered approach is one way to fortify security.

When dynamic authentication tools are integrated, they can provide a more accurate output by combining probability, risk management and behavior to give companies a more accurate picture of whether or not a high-risk transaction is occurring.

A risk-based authentication infrastructure looks across multiple vectors of the user’s interaction such as device intelligence, connection, behavioral analytics, and passive and active biometrics powering a dynamic and intelligent authentication solution. There are solutions on the market now that can identify machines from humans, then separate good machines from bad, selects known humans from unknown humans, and finally sorts unknown humans demonstrating low-risk signals from unknown humans demonstrating high-risk signals, all in real time.

This process lets organizations fast-track the known and low-risk users for an optimal experience, saving the friction and traditional step-up authentication methods for the highest risk users. These layers validate the user through information that hackers can’t replicate, securing the good user’s transaction at every step.

With a newly created authentication platform that utilizes a layered defense based on behavioral analytics and passive biometrics, companies can now offer a safer online transactional environment. When good customers are clearly identified, companies can provide premium loyalty rewards or specialty offers to solidify customer relationships.

Combining real authentication with ease of use and customer rewards extends the virtual handshake and enhance brand reputation at the same time. Cutting down on fraud can also result in significant cost savings.

Robert Capps

Robert Capps

Robert Capps is vice president of business development for NuData Security, a Mastercard company.