Kyle Kilcoyne By Kyle Kilcoyne • April 19, 2017

Beyond Two Factor Authentication: Balancing Compliance and UX Demands

Identity verification tools are emerging to empower companies to keep up with shifting regulatory demands while also addressing consumer requirements for excellent app experiences.  The question is, what approach to user authentication can strike the right balance between UX and data security?

compliance_banner_stitch.png
 

 

As consumers embrace digital lifestyles, they are becoming more dependent on online and mobile services for sensitive tasks. An econsultancy report put this trend in clear terms by pointing out that, generally speaking, people remained anonymous online in the past. Recently, however, the growing social media movement has combined with online banking, e-commerce and similar services to remove anonymity. While this makes it easier for consumers to take advantage of online services, it also adds a layer of risk. Identity fraud online can leave attackers able to take over multiple accounts as people tie more parts of their personal lives to more services. Within this climate, fraud is on the rise. Javelin Research found identity fraud instances increased by approximately 16 percent year-over-year in the U.S. during 2016. Organizations working to serve digital-enabled consumers must develop strategies to provide service flexibility and responsiveness without sacrificing security.

2FA / KBA / biometrics

b5.png

The explosion of SMS-based two-factor authentication (amid technological devaluations from NIST) highlights just how far businesses still have to go to find this balance. Passwords are almost universally hated. KBA is being hammered right now (as it should be). Biometrics are currently limited in their reach and consumer adoption. Organizations need better options to verify user identities, particularly as they work to launch online services for functions that have long remained in-person affairs - such as setting up bank accounts or interacting with the government. The question is, what approach to user authentication can strike the right balance between UX and data security?

 

Passwords are inherently problematic. As users need to protect sensitive data, they must have powerful, complex passwords. With more online services requiring those passwords, individuals must keep track of multiple complicated passwords, creating complexity and user experience challenges. According to a Gartner report the average digital consumer has over 150 usernames and passwords.

 

Knowledge-based authentication (the last name of your 3rd grade teacher) has been all over the news lately as cyber criminals continue to target common security questions, such as a mother's maiden name or high school alma mater. What's more, when multiple organizations use the same questions, identity thieves can find one answer through a breach or on the black market, and subsequently gain access to many of a single user's accounts. Look at the recent Yahoo! breach. Over one billion identities were compromised, exposing answers to security questions and honey pots full of other personally-identifiable information (PII) that can be used downstream to perpetuate fraud at scale.

 

Biometrics could be the answer as underlying technologies continue to advance with strong adoption among state and federal government agencies. However, consumer adoption has been slower than expected. In fact, the Department of Homeland Security's Office of Biometric Identity Management (OBIN) is currently engaging PR teams to help increase public awareness for biometrics. The other big challenge for any biometric product is enrollment. You need a credible, originating source to compare subsequent authentications against. That's where the biometric-bearing government-issued ID (and most popular global form of identity assurance) makes sense.

 

 

ID verification for user authentication
 

b6-1.pngDigital ID verification services are proving essential as they can meet regulatory compliance demands without forcing organizations to sacrifice the user experience. Being able to process identifications digitally online enables organizations to make a simple check of a physical ID, just like they would in person, within their web or mobile apps. 

 

For example, if an individual wants to open a checking account through a mobile banking app, Confirm would allow the phone's camera to scan the ID and our system would provide real-time review and rapid feedback on the authenticity of the document. Furthermore, we can extract data from the ID to autofill forms which helps organizations decrease signup abandonment rates by 40%. 

 

Our team views identity document authentication as the critical starting point of a user authentication strategy. What makes Confirm unique is that our technologies provide the sophistication that regulatory leaders need alongside the usability that developers and customers care so much about. Effective user authentication in our digital, mobile world depends on balancing convenience with security, and our advanced document capture and authentication technologies help make that possible.

 
 
 New Call-to-action