By Ben Goodman, VP of Global Strategy and Innovation, ForgeRock
Security of customer data isn’t just a legal imperative for banks, it’s a competitive differentiator. In the age of connected devices, Open Banking and GDPR, the role security plays in driving business objectives cannot be underestimated. Ultimately, the banks and financial services organisations that strike the right balance between iron clad security processes and intuitive user experiences will attract and retain customers.
Striking this balance isn’t easy. Despite consumers taking a far greater interest in the safety of their personal data, many find the process of adopting more secure measures such as two-factor authentication tedious. Their reluctance to leverage relatively simple but admittedly clunky tools puts the onus back on to financial institutions to ensure that people’s information and assets are protected.
The route to protective-yet-intuitive security for banks is therefore through the adoption of multi-factor security processes that utilise the latest technology. In contrast with legacy security systems, the modalities available now can simultaneously improve the user experience for customers and strengthen the safety of their information – things that have been traditionally at odds with each other.
From the front door to the time of action
Online banking portals, apps and platforms currently ask customers to authenticate their identity exclusively at the ‘front door’: Customers are presented with a login process when they open the app or webpage, but once they have completed this they are free to access all of the available features and services. On its own, this has the potential to be tremendously insecure and is also deeply opaque in terms of demonstrating to customers how their identity is being authenticated and protected, hence the drive to encourage customers to adopt continuous authorisation.
The power of scalable authorisation engines, when paired with the sheer variety of modalities of authentication available now, mean that we have the scope to move beyond this simple ‘front door’ approach to access. Instead we can now adopt a smarter, more nuanced system that presents customers with the appropriate option at the right time. Whether this is an iris scan to deposit a cheque, a voice command to check a balance, or a selfie to request a statement, there will simply be no reason for banks to persist with outdated, unaccountable authentication methods. The technology exists to boost the security of customers’ accounts at every stage and in ways that require the appropriate amount of friction for what they are trying to do.
Enter behavioural biometrics.
What are behavioural biometrics?
Behavioural biometrics are a next generation technology looking specifically at behavioural factors and using them as a form of authentication and assurance. The technology evaluates unconscious actions such as how people walk, hold a device or even how fast they type to create a user profile or ‘virtual fingerprint’ that is unique to that individual. This is combined with contextual clues such as the WiFi network, GPS location and the timing of the customer’s actions.
As a customer conducts tasks, for example on their banking app, behavioural biometrics creates a score showing the likelihood that they are the account owner. This can be as accurate as a fingerprint, making it an essential instrument in banks’ security toolkits. The process can be tailored so that more sensitive actions, such as transferring money, require a higher confidence score than less risky ones, such as checking a balance.
The result is a customer experience that is not only more secure; it’s far more convenient. In the age of IoT, the vast majority of us carry devices with us which we use for everyday personal finance tasks such as paying bills or splitting the cost of last night’s dinner. Equipped with touch-sensitive screens, accelerometers and gyroscopes, the sensor-filled devices in our pockets are poised to interact with and interpret outside stimuli like never before – a true sea change when it comes to the widespread adoption of behavioural biometrics.
That allows us to collect a lot more data. Using machine learning and artificial intelligence, technology providers are able to use that data to create more reliable user profiles, enabling higher levels of confidence in the technology and a groundswell of adoption in financial services.
For example, banks like Lloyds Banking Group and Deutsche Bank have employed measures to identify if a customer’s mobile phone is physically stolen or compromised by malware. From behaviour with the phone alone, the technology will generate a score that indicates a level of certainty that the person using the phone is who they say they are. This score, in tandem with other security context clues, gives customers the information they need to determine whether they trust the end-user they’re interacting with – helping to prevent unsafe transactions or account takeovers.
Why frictionless can be fraught
With behavioural biometrics, it’s tempting to imagine a consumer opening their banking app, checking their balance, paying their credit card bill and transferring some cash without any annoying passwords or thumbprints. Behavioural Biometric security would work seamlessly in the background, protecting the customer at every stage without intruding on their experience.
While this is not necessarily an implausible vision, it may be misguided today. In taking the security burden away from customers, a totally seamless security user experience could actually erode customer confidence and satisfaction. For example, imagine you are transferring £10,000 to an account you have never interacted with before. If you are not explicitly asked to complete some form of additional security measure, say providing a thumbprint or taking a selfie, you are unlikely to feel confident that your identity (and money) is being handled securely.
As such, banks don’t need to stretch for a totally seamless user experience. In fact, re-injecting friction into the user experience – if done in the right way and at the right time – can provide greater visibility of security processes and a stronger sense of trust – with the added bonus of removing tedious login processes at the front door.
Towards a security toolkit
No single piece of authentication technology can be the solution to protective-yet-intuitive security. Behavioural biometrics is a gamechanger, but it must work alongside other tools to improve the customer experience and user security.
The right multi-factor toolkit will allow banks to orchestrate the different modalities, methodologies, and signals provided during a user authentication process to provide the most secure, most intuitive authentication possible. The reward, in an increasingly competitive market, is customer acquisition and retention that drives business objectives.