More than ever before, there may now be credence in the view that the majority of consumers’ personally identifiable information (PII), user names and passwords, and even some authentication tokens have been, or are, at risk of compromise. Between sophisticated hacking schemes and regularly reported and sometimes unreported data breaches, those charged with implementing and maintaining identity authentication and management systems must assume this to be true. In doing so, the need for layered authentication becomes readily apparent. Layered authentication can mean many things to many people, but I would offer it up as diversifying authentication and risk assessment techniques and processes across multiple elements and attributes throughout the customer lifecycle. These elements and attributes corresponding techniques can include:
- traditional PII validation and verification
- identity transaction link analysis and risk attribute derivation
- credit and non-credit data and risk attributes
- identity risk scores
- knowledge-based authentication question performance
- device intelligence and risk assessment
- credentials
- biometrics
and should be layered proportionally by inherent risk per application, addressable population, transaction history and types, current transaction, and access channel for example. Industry guidance such as the FFIEC Guidance of Authentication in an Internet Banking Environment is a solid foundational direction that calls out the need for institutions to move beyond simple device identification — such as IP address checks, static cookies and challenge questions derived from customer enrollment information — to more complex device intelligence and more complex out-of-wallet identity verification procedures. I would suggest that while this is a great start, it is by no means comprehensive. Institutions across all markets, both private and public sectors, should be exploring all available services and technologies in an effort to reduce reliance on one or only a few methods of authentication and identity management. Particularly, again, assuming that the one method an institution may rely on could be greatly weakened or without value if subject to mass compromise.
Make sure to read our Comply whitepaper to gain more insight on regulations affecting financial institutions and how you can prepare your business.
Learn more about how your business can authenticate consumers confidently.