The evolution of authentication
Whether you’re 25 or 55, you’ve seen a tremendous amount of change in the past few years in how people interact, communicate, pay for things and in what they do in their free time. Those changes are happening faster today due to shifts in technology, culture and globalization. In online commerce (e-commerce or m-commerce) it is moving faster still, as those transactions eclipse the ones at physical points-of-sale or in bank branches.
Whether opening an online account, a credit card, or engaging with a teller at the bank, authentication is the cornerstone of trust in financial relationships – and it’s particularly important as new consumers are onboarded or information is changed on a profile. If the average loss incurred on a fraudulent “new” bank account in the U.S. is approaching a couple of thousand dollars, and the average loss for a merchant is several hundred dollars, it pays to assure that users are properly authenticated as new accounts are opened.
This evolution has come about due to the changes in engagement. Banks had been able to eyeball a new consumer, verify that the person looks like their ID Card, their signature matches, etc. This is no longer possible in a digital-preferred world. For this reason, the traditional means for institutions to mitigate risk has generally been built around vendors that match “credit header” data of the individual attempting the transaction. If an individual has the correct name, address, ID and other credentials, is that enough? Unfortunately not. That kind of data has been repeatedly breached in recent years, exposed in way too many ways, and fraudsters have more of our information than we ourselves know or recall.
From the other end of the spectrum, social media accounts have been active for almost 10 years, e-mail has been the main form of written communication for over 15 years, and wireless phone number portability – resulting in people keeping one phone number seemingly for life – has been in place for almost 20 years. These have led to digital keys that are centered around e-mail address and phone numbers, creating easy-to-remember unique identifiers for individuals centered on both devices.
Authentication sits today at a crossroads; it needs to be more digital, more secure and, at the same time, unobtrusive to the individual. The evolution of authentication comes from both the legacy credit agency and physical end of the spectrum, for its veracity, and from the digital end, for its security and ease of use.
Bringing more of the world’s population into the banking system, able to transact digitally and in real-time, requires an adaptation to the legacy processes of authentication. To do this, we need to look at the identity verification (or consumer decisioning) and the credit (or transaction decisioning) process separately. In this manner, the way in which consumer decisioning or identity verification can happen has quickly evolved alongside major technology advances over a few definable eras:
Pre-internet: in-person transactions, with name/address validation, or phone number at times, if they didn’t know you personally. Communication and verification generally occurred only in person, or via the mail.
Internet: transactions started occurring virtually or “not-present,” with verification of data including email, phone or “device-fingerprinting.” Communication started shifting to email of receipts or instructions, or “out of band authentication,” such as a phone call, but generally occurred as the consumer was originating from home or work locations.
Mobile Web: Today, transactions occur “on-the-go” on a website or through an app, sometimes even via social media. Location is both more relevant (for convenience) and less relevant (for where a good or service is delivered), with geo-located smartphones providing precise location data. Communication has shifted to push notifications and SMS messages, thus verification methods aren’t as consistent or common and it is more software-based than hardware-based.
With that framework in mind, we have shifted into a new age of verifying and authenticating consumers. No matter the level of risk, diligence is required on the customer and the transaction they are performing. For the most part, banking relationships are in the early “Internet Stage,” while younger consumers want “Mobile Web” (e.g. rarely step into a branch).
Whether you’re a bank or an online retailer, intrusive processes that impede transactions are bad for business. Physical or virtual, perpetuating the momentum of a transaction improves conversion and shopping cart completion.
Taking online, social and digital patterns of consumers at the core of a “digital persona,” and overlaying that with offline and known customer information, creates a much stronger authentication and fraud prediction system. Putting digital identity at the core of those processes enables better prediction of normal versus abnormal behavior and thus fraud risks.
This surfaces a passive, yet intelligent and data-driven approach.
As the world of authentication continues to evolve, how we identify and spend our time as individuals will be a critical core component to consumer decisioning. Trying to stay on top of the evolving use of data left as “digital exhaust” is a passive, yet intelligent way to perpetuate authentication. This means that institutions on all sides of an account and transaction should use as much data as possible, without the requirement for expensive manual processes or additional consumer friction. Building on this new type of data, while using means across the eras previously described, is an art and science designed to enable the ideal experience for your consumers.
I’ll not be the first nor last to talk about this change, but I can safely say from my experience that the requirement to advance along this framework is timely and getting more urgent by the day.