75 million Smartphone users admit that while they are afraid of cyber attacks, they have not set a password for their smartphones according to the latest TransUnion’s Cyber Security Survey. While at first glance, this seems completely alarming and the ramifications could result in identity theft, it is also not surprising as consumers are not technologists and they just need to use their phones. Therefore, instead of continuing to be surprised by results like this, we should look for ways to meet the need for security in ways that don’t inject more friction.
Let’s imagine another scenario whereby authentication may require this data, but doesn’t rely solely upon it. Instead, identity verification is reliant upon a myriad of data points that form intricate web of complex, rich and real-time data that is impossible to spoof, mimic or replicate by nature of its interconnectivity and complexity. Friction dissolves in this scenario because the verification of the user is so accurate and complete that ‘white-glove’ experiences can be offered to what we know to be the genuine human user.
"The security industry, as a whole, typically is most comfortable requiring that customers conform to methodology."
Companies using this approach can monitor behavior in real-time, interdicting where appropriate with options that can escalate based on the risk level. In effect, choosing to interrogate the identity based on what they know about the offered risk behavior. Another way to look at this new methodology is that users ‘earn’ the type of experience they have based on their own offered behavior over time. And, the model continues to learn about users as time progresses developing a more robust understanding, all without collecting any private PII data.
So, while we might continue to bemoan user stubbornness in up-taking basic security protocols against their own best interests, we can start to see that users’ natural behavior can be the basis of the security method. Analyzing sessions in terms who how users are behaving, how they typically behave, and how other humans behave in this context, offers non-invasive pathways to stunningly accurate identification. Online merchants and financial institutions have been focused mostly on checkout, or on transactions where money was moved. This new method allows enterprises, who already collect volumes of account-based data, to now use this data to inform their authentication processes by looking at account creation and login placements in addition to checkout and transaction.
By building authentication on multi-modal data models rather than single point authentication and using user’s natural behaviors, banks and ecommerce companies have powerful frameworks for verifying users that devalue any PII data that hackers collect from unsecured devices. We can stop enforcing security methodology and our tactical requirements on end users and start working with what they are offering -- natural behavior and the potential to discern who they are from it. Currently, many major online retailers and banks are beginning to utilize this powerful passive biometric model. We anticipate that while usernames and passwords will always have some relevance, they will become less and less relevant for user authentication and verification in the future to come.
Companies who are using this new paradigm are learning to doing something really quite old fashioned. Something every successful brick-and-mortar retailer learned long ago. Something so fundamental it used to be pounded into the head of every business grad everywhere, but was somehow forgotten or deprioritized in our race to build online the economy. Know your customer. Learn what they do and what they want, and this knowledge will give you the keys to succeed in all aspects of your business.