In my previous three postings, I’ve covered basic principles that can define a risk-based authentication process, associated value propositions, and some best-practices to consider.
Finally, I’d like to briefly discuss some emerging informational elements and processes that enhance (or have already enhanced) the notion of risk-based authentication in the coming year. For simplicity, I’m boiling these down to three categories:
1. Enterprise Risk Management – As you’d imagine, this concept involves the creation of a real-time, cross channel, enterprise-wide (cross business unit) view of a consumer and/or transaction. That sounds pretty good, right? Well, the challenge has been, and still remains, the cost of developing and implementing a data sharing and aggregation process that can accomplish this task. There is little doubt that operating in a more silo’d environment limits the amount of available high-risk and/or positive authentication data associated with a consumer…and therefore limits the predictive value of tools that utilize such data. It is only a matter of time before we see more widespread implementation of systems designed to look at a single transaction, an initial application profile, previous authentication results, or other relationships a consumer may have within the same organization — and across all of this information in tandem. It’s simply a matter of the business case to do so, and the resources to carry it out.
2. Additional Intelligence – Beyond some of the data mentioned above, some additional informational elements emerging as useful in isolation (or, even better, as a factor among others in a holistic assessment of a consumer’s identity and risk profile) include these areas: IP address vs. physical address comparisons; device ID or fingerprinting; and biometrics (such as voice verification). While these tools are being used and tested in many organizations and markets, there is still work to be done to strike the right balance as they are incorporated into an overall risk-based authentication process. False positives, cost and implementation challenges still hinder widespread use of these tools from being a reality. That should change over time, and quickly to help with the cost of credit risk.
3. Emerging Verification Techniques – Out-of-band authentication is defined as the use of two separate channels, used simultaneously, to authenticate a customer. For example: using a phone to verify the identity of that person while performing a Web transaction. Similarly, many institutions are finding success in initiating SMS texts as a means of customer notification and/or verification of monetary or non-monetary transactions. The ability to reach out to a consumer in a channel alternate to their transaction channel is a customer friendly and cost effective way to perform additional due diligence.