The journey towards zero factor authentication

From digital banking to online commerce, the consumption of online business services has changed consumer behaviour and expectations. Gone are the days when people were willing to stand in line to open a bank account or checkout at a retail store. Nowadays, they expect millisecond response at online marketplaces. They want to use emerging payment types like digital wallets. Peer-to-peer payments are on the rise. As a result, in today’s digital economy, a well-orchestrated customer experience in digital channels is a competitive necessity, not a luxury.

The reality of creating an optimal customer experience, however, can be challenging. The cost of fraud for the financial services market has never been higher, owing largely to the proliferation of fraudulent online accounts. Competing objectives of revenue growth and risk mitigation mean that while businesses in this market are working to ensure that they can detect fraudulent accounts before they can wreak havoc, the added layers of authentication add friction to the customer user experience.

The Q2 2018 Fraud Index Report from my own company, DataVisor, showed a startling trend: as many as one in five cloud user accounts may be fake. In fact, for some cloud services, more than 75% of accounts may be used by hackers. More than 40% of application fraud comes from coordinated attacks, with single fraudsters operating multiple fraudulent accounts.

To combat this ever-growing rise in fraud, organisations are using multiple layers of authentication factors to verify the validity of a user’s identity.

The emergence of n-factor authentication

Several types of authentication factors can typically come into play in preventing fraud, which are often combined for comprehensive protection. They include password factors (from ATM PINs to computer passwords), SMS factors (two-factor authentication codes), knowledge factors (username and passwords), possession factors (smart cards), and biometric factors (fingerprints or voice prints – or even optical scanning).

Proving online identity used to mean combining two or more of these factors, commonly referred to as “multi-factor authentication.” This approach has been proven effective in enterprises of all sizes. In July 2018, Google reported that phishing attacks of its employees almost stopped after the company began requiring the use of two-factor authentication security keys across its business.

While multi-factor authentication increases the chances of detecting a fraudulent account or even possible identity theft, it is extremely cumbersome for users. In some cases, authentication happens to be based on data purchased from third parties, which consumers consider to be private information – like mortgage payments. Users typically balk at sharing so much personal information, and see it as an invasion of their privacy.

Moreover, multi-factor authentication does not even provide as much robust security as one might assume. Take, for example, the recent Facebook attack, where more than 30 million user accounts were hacked.

Attackers manipulated access tokens to compromise normal user credentials. This is not surprising, especially when tokens are used to represent authenticated users and there is no re-authentication for subsequent interactions. The systems assume that these tokens are from real users.

The identity of the future

While technologists are busy inventing new methods to add another layer of authentication to identify users, at DataVisor, we are exploring the utopian vision of “zero factor authentication”. This vision uses advanced technologies to build a digital DNA that integrates online behaviours (across device, activities, and biometrics) to uniquely identify each customer. With artificial intelligence, the reality of “zero factor authentication” is closer than we think.

There are three critical elements to realising the vision of zero factor authentication:

(1) Robust data collection: a more fine-grained data collection that forms the basis for deriving the digital DNA is imperative. Today, organisations suffer from data loss as it trickles into downstream systems. They lose their integrity and in that process lose valuable signals that could be used to build the digital identity. To be effective, organisations have to look into building and maintaining identities in real-time, using data streams at their source versus in batch.

(2) Constant analysis of data: this is an analysis in which users are continuously “re-authenticated,” in passive mode, instead of using authentication at a given point in time.

(3) Transparency: when augmented with transparency and control, users become part of the customer journey, have better control and influence over how their identity is being built and used, and choose if they want to opt-in or opt out of zero factor authentication. Many companies like Google are allowing users to control the data they want to share and how that information gets used, thus users can choose their “own journey.” The goals are to gradually establish confidence and trust in this new authentication paradigm, and to demonstrate that it is equally secure, or can, in fact, be more secure.

The next generation platform needs to rethink digital identity and authentication in a transformative way. Advances in technology must be able to combine machine and human intelligence to deliver zero factor authentication and not n-factor authentication. Current authentication methods expose too many loopholes – third-party apps, tokens, and APIs that can be leveraged by attackers.

Adding more layers of authentication simply means that as an industry we have failed to build a path to building a better digital identity. As AI becomes the driver for intellectual horsepower within the organisation, authentication means better security, greater trust, and personalised user journeys – all enabled by Zero-Authentication.

This editorial was first published in the Web Fraud Prevention, Identity Verification & Authentication Guide 2018-2019. The Guide covers some of the security challenges encountered in the ecommerce and banking, and financial services ecosystems. Moreover, it provides payment and fraud and risk management professionals with a series of insightful perspectives on key aspects, such as fraud management, identity verification, online authentication, and regulation.

About Yinglian Xie

Yinglian is the CEO and Co-founder of DataVisor, a successful AI-based fraud detection technology company. Before founding DataVisor, Yinglian worked at Microsoft Research for more than seven years on numerous projects focused on advancing the security of online services with big data analytics and machine learning. Yinglian completed both her PhD and post-doctoral work in Computer Science at Carnegie Mellon University and holds over 20 patents.

About DataVisor

DataVisor is the next-gen fraud detection platform based on cutting-edge AI technology. Using proprietary unsupervised machine learning algorithms, DataVisor helps restore trust in digital commerce by protecting businesses against financial and reputational damage caused by fake user accounts, account takeovers, and fraudulent transactions.