Paving the way to smarter phone security

Forcing users into a security paradigm is always going to be a risky proposition, especially in technological environments, where they will only want to interact with their devices in ways they most prefer. Cyber criminals benefit from this dynamic (at present) because it’s tilted in their favor. Single-point authentication methods, especially on mobile, are used to unlock a wealth of vulnerable PII (personally identifiable information). Crack this password and the phone opens up a rich source of income for hackers when mined and sold on the dark web. Until authentication methods no longer require this data, we can’t expect this economy to go away and the dynamic will continue.

Let’s imagine another scenario whereby authentication may require this data, but doesn’t rely solely upon it. Instead, identity verification is reliant upon a myriad of data points that form intricate web of complex, rich and real-time data that is impossible to spoof, mimic or replicate by nature of its interconnectivity and complexity. Friction dissolves in this scenario because the verification of the user is so accurate and complete that ‘white-glove’ experiences can be offered to what we know to be the genuine human user.

Companies using this approach can monitor behavior in real-time, interdicting where appropriate with options that can escalate based on the risk level. In effect, choosing to interrogate the identity based on what they know about the offered risk behavior. Another way to look at this new methodology is that users ‘earn’ the type of experience they have based on their own offered behavior over time. And, the model continues to learn about users as time progresses developing a more robust understanding, all without collecting any private PII data.

So, while we might continue to bemoan user stubbornness in up-taking basic security protocols against their own best interests, we can start to see that users’ natural behavior can be the basis of the security method. Analyzing sessions in terms who how users are behaving, how they typically behave, and how other humans behave in this context, offers non-invasive pathways to stunningly accurate identification. Online merchants and financial institutions have been focused mostly on checkout, or on transactions where money was moved. This new method allows enterprises, who already collect volumes of account-based data, to now use this data to inform their authentication processes by looking at account creation and login placements in addition to checkout and transaction.

By building authentication on multi-modal data models rather than single point authentication and using user’s natural behaviors, banks and ecommerce companies have powerful frameworks for verifying users that devalue any PII data that hackers collect from unsecured devices. We can stop enforcing security methodology and our tactical requirements on end users and start working with what they are offering -- natural behavior and the potential to discern who they are from it. Currently, many major online retailers and banks are beginning to utilize this powerful passive biometric model. We anticipate that while usernames and passwords will always have some relevance, they will become less and less relevant for user authentication and verification in the future to come.

Companies who are using this new paradigm are learning to doing something really quite old fashioned. Something every successful brick-and-mortar retailer learned long ago. Something so fundamental it used to be pounded into the head of every business grad everywhere, but was somehow forgotten or deprioritized in our race to build online the economy. Know your customer. Learn what they do and what they want, and this knowledge will give you the keys to succeed in all aspects of your business.