Financial institutions are under pressure to implement strong customer authentication solutions. This is part of the process of complying with Payment Services Directives (PSD2). It is a big challenge because there are different considerations to make and the institutions may need to adopt new tools.
Strong customer authentication solutions need to be adaptive. This involves constant workflow processes as opposed to a one-off procedure intended to offer a quick fix that will do little to solve the problem of criminals stealing user information.
Let us first briefly consider the authentication options that are provided for financial institutions under the Regulatory Technical Standards (RTS)
Two Factor Authentication
Financial institutions can choose 2 of 3 authentication options. These authentication options need to be independent of each other to be effective. The three options are based on the following information.
- Information that only the user possesses
- Knowledge unique to the user alone
- Something inherent to the user alone
This is intended to deal with online fraud involving the man in the middle who captures user transaction details as they perform an online transaction and then use that data. It is a 3-part authentication process which begins with authentication of the transaction through calculating an authentication code which will identify the user. Next is the encryption of the entire transaction to protect any personal data shared in the process. The last step is acknowledging the transaction as authentic and authorized by the user.
App Assisted Authentication
Financial institutions need to adopt the use of mobile apps as a way for users to authenticate transactions. At the same time the institutions need to ensure that in the process of using apps, the user is not exposed to more security threats.
Every needs to be analyzed to seek out possible red alerts that the transaction is fraudulent. This can include taking note of irregular purchase amounts as well as the possible use of malware to intercept transactions. This method however exempts small transactions.
Now that we have established the guidelines that the institutions need to follow, let us introduce adaptive authentication as a solution to complying with RTS.
Adaptive authentication is a continuous analysis of user transaction activity so that it can provide real-time authentication options based on the results of the analysis conducted at that very time and the possible threats that have been determined.
This means authentication is not just repeatedly required in the same way whenever a user tries to perform a task. For example, the level of authentication required to check your balance does not have to be the same as when you need to make a payment.
The level of risk will determine the kind of authentication needed. The larger the amount of money involved, the greater the need for strict multiple authentications. In the end, there will be stronger security but with limited inconvenience on the side of the user.
Even though PSD2 is intended to make the cyber world safer for users to carry out transactions, it can become a bother having to go through numerous authentication procedures all the time. With the involvement of machine learning, the process can be intuitive and adaptive while complying with the guidelines. Here is how this can be achieved.
Independent Authentication Environments
We know that mobile apps cannot guarantee safe environments for transaction authentication. This problem can however be solved by running an independent environment linked to the app so that even if the user is on an unsecured app, the authentication will take place away from that app in a safe environment that has been encrypted and then the transaction can proceed.
Categorized Authentication Based on Risk
Every time a transaction is initiated, an analysis should be carried out automatically to establish the level of risk. Before that, there should be categories of authentication processes that match the risk. For example, checking balance may require just a password while a transaction over $1000 would need biometric authentication along with a PIN.
Comprehensive Transaction Analysis
Intuitive adaptive authentication cannot run effectively unless there is comprehensive information about a transaction. This means the tools used need to collect as much data about a transaction starting with the location of the transaction, to the device being used, the pattern of the transaction, and so forth. The analysis compares live information with the already collected information about and user’s transactional habits so that it can be determined if something is out of the ordinary. This analysis will then be used for authentication.
When the PSD2 guidelines were announced, it seemed like a huge task that financial institutions had been handed. Today however it is evident that the technology is there and with careful utilization of the technology, it is possible to comply with the guidelines as well as ensure that users are safe without being unnecessarily inconvenienced every time they make a transaction.