Traditional authentication measures are failing: Five questions for safeguarding user identity
By Mario Dusaj, Senior Solutions Engineer at CallSign
Users are increasingly becoming frustrated with passwords, and when they have an issue with an identity verification process, 73 percent of consumers question why they are even continuing to interact with a business.
These frustrations are largely due to traditional methods of multi-factor authentication where users are sent a code via text message to complete the login process. Simply digitizing an analog authentication method, rather than redesigning for a digital world, creates an inherently flawed authenticator. This introduces unnecessary friction and vulnerabilities where users are impersonated or tricked into giving their credentials away. Cybercriminals are savvy, and without the proper controls in place, they may be just a click away.
However, companies can take measures to ensure they are positively identifying users and protecting their business from fraudsters. They need to ask themselves and answer a series of five questions when looking at the authentication process, and layer in behavioral biometrics where possible to identify users.
Is the session secure?
“Is the website or application session secure?” is the first question security leaders should ask themselves, even before looking into a user’s identity. There are instances where scammers use man-in-the-middle attacks to gather information from unsuspecting users through an unsecured website. For example, a legitimate website may have a compromised link embedded in their page that redirects the user to a page that looks and feels real, but instead is siphoning off a user’s information.
By tracking unusual traffic, businesses can detect compromised sessions and secure a user’s digital identity before it’s too late.
Are you engaging with a real human?
Once a session is secure, companies must ask “am I engaging with a real human?” to ensure the user is not a bot.
When someone hears “bot” it’s rarely associated with something good. In the past, bots have made headlines by altering consumers’ perception of the media and even competing with humans for Black Friday deals and one-of-a-kind inventory like the highly coveted PlayStation 5. These tactics are not new and the use of bots currently accounts for 64 percent of internet traffic with 39 percent of that number consisting of bad bots that scrape information and perform malicious activity.
These bad bots may be engineered to conduct a reverse brute force attack that utilizes stolen information from a data breach, and forces millions of login and password combinations into the system until a match is found. Instead of relying on a CAPTCHA to confirm whether users are human, companies can use behavioral biometrics to passively determine if someone’s physical interactions with a device align with human characteristics.
Unlike a bot entering information repeatedly during a brute force attack, human behavior is very hard to replicate.
Is the user genuine?
Apart from detecting bots, companies must also confirm whether the human user attempting to enter a website is genuine and not an imposter.
Similar to finding out if a user is not a bot, companies can use behavioral biometrics and location information to see if a user’s activity is legitimate by comparing to past interactions with a company’s platform. For example, this method analyzes and compares how a user swipes or holds a phone to their past habits, and detects if a user’s location is a regularly-visited area.
Another tactic a company can use is hiring an identity verification provider that uses various forms of identification, such as a driver’s license and a selfie, to have absolute certainty that the user is who they claim to be.
These next two questions are where things get more difficult, yet essential to thwarting fraudsters using more advanced tactics.
Is the user a victim of a scam?
Once a user accessing an account is determined to be legitimate, their access should be looked at with skepticism as it’s possible they fell victim to a scam such as a social engineering or Remote Access Trojans (RAT) attack. This can sometimes be a fraudster phoning the user claiming to be a bank representative telling them of a cyberattack and pushing a sense of urgency to transfer money to a new account controlled by the scammer.
To detect these types of attacks, companies will need to use advanced intelligence and dynamic intervention. Applying these together can, for example, help when a user is transferring a large amount of money to a suspicious account where these tools would then prompt a phone notification asking custom and dynamic questions, like if the user is on the phone with someone from the “bank.” If they respond in the positive, then the prompts will urge the user to cancel the transaction and immediately call the bank at the real phone number.
How can we manage risk and user experience?
Companies should reflect on the first four questions and ask how they can best strike the balance between exceptional customer experience and security while considering the benefits that behavioral biometrics can provide in bridging this divide. Authentication platforms that allow companies to do both by combining solutions into one platform are one group of viable options.
What we’ve learned from traditional fraud and authentication measures is that users won’t tolerate an interrupted user experience yet companies need to have the most robust security measures in place. By looking at these five questions, companies can assess their cybersecurity posture and determine how best to leverage biometrics to reduce fraud seamlessly.
About the author
Mario Dusaj is a Senior Solutions Engineer at Callsign, previously working as an IDM Engineer at Identropy Inc. and as a Security Analyst at Ally Financial. He graduated from the University of Michigan-Dearborn with a software engineering degree.
DISCLAIMER: This Biometric Update Industry Insights post is submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.