Frictionless Banking in the Modern World: Six Further Factors of Authentication
Author(s): Mike Wood, Posted on January 20th, 2015
Many of us are now fully accustomed to the contactless world and the joy of ‘tapping’ our bank cards on a reader to enable a simple, low value transaction. For example, Oyster Cards on London’s underground, touching a credit card to buy a coffee, tapping your mobile phone for payment using ‘mobile wallet’ services.
Despite these improvements to card and mobile transactions, mobile banking is not keeping up. In most cases, when trying to access your bank account from a mobile device, you still need a PIN number, a password or answers that you submitted to memorable questions, such as your favourite food or your first pet’s name. Moreover, for some providers you still need to carry around a card reader, a token or a key fob in order to perform a combination of PIN and passcode to get authenticated. These are the traditional two factors of ‘something you have’ and ‘something you know’ and from a customer experience perspective in an ever-connected world, it’s less than ideal.
How can we make this process easier, or ‘frictionless’? Gartner predicts that 30 percent of organisations will use biometric authentication for mobile devices by 2016, but this alone is not a silver-bullet. Beyond the traditional first and second factor techniques, there are a number of additional elements that can support reliable authentication. Aspects such as location, timing, behavioural & cognitive data and social networks can all be bought into play to support seamless authentication and ‘frictionless banking’, for an improved customer experience.
- Location, location, location
Your IP address, GPS location and mobile cell sighting are great examples of rich location data that can be captured and compared to create patterns of behaviour that can help validate transactions. For example, if you spend most of your time in two single locations such as home or work, and you decide to transact within this area, there’s a higher probability that it’s a genuine transaction than one made at a location you don’t normally visit. In addition, location information can be mapped against time of the day, or day of the week, to build a more detailed behavioural pattern of customers.
- Harness customers’ digital fingerprints
Regardless of the device customers use to access their account; it will have a unique MAC (Media Access Control) address that identifies it on a computer network. When combined with the hardware and software configuration of that device, as well as other information exposed through cookies, collection drivers or agents, we can create a ‘digital device personality’ that makes each customer uniquely identifiable.
- Look for the patterns
Consistencies in behaviour are identifiable by the times of day, week, or month that we tend to operate. Humans are generally creatures of habit, and so is not inconceivable that we could fall into a pattern for our banking or other transactional financial services. If you are operating within these ‘peak’ hours which are unique to you and your lifestyle, then it creates a lower risk score than if outside of your prime hours.
- Track the customer journey
We all take a unique journey when navigating a website (page sequence, click speed, dwell time), typing with key rhythms (e.g. speed between characters, pressure, linkage between keys) and interacting with touch screens (e.g. pressure, swipe speed, acceleration). Linking to biometrics, many of our behaviours are sub-conscious and cognitive, which includes habits of how we hold the device (e.g. portrait or landscape), at what angle and the degree of our natural hand quiver or how we operate a mouse. All of these factors can be measured to create a behavioural profile that is distinctive and unique to each user.
- Get down to the biometric basics
With the number of smartphone users worldwide expected to exceed 2 billion by 2016, this provides a rich potential source for biometric capture capabilities like fingerprint scanners, iris scanners, facial and voice recognition, which can significantly cut down the time required to authenticate access.
Let’s also not forget wearable technology, which is predicted to boom over the next few years. This further unlocks possibilities such as cardiac rhythm identification, using your heartbeats – which are as unique to you as your fingerprints – to verify your identity.
Whilst physical biometrics can offer a further step-up challenge to a customer (for example, achieving a risk threshold for a high value transaction or non-intrusive information already captured) it is a simpler journey and offers less friction than having to remembers PINs, passwords or carry around a token. These can be stolen, but many biometrics can’t easily be spoofed.
- Explore customer networks
Social media profiles provide a rich insight into the personal lives and preferences of customers. For example, if a customer is linked to a large number of people whom the bank recognise as having a high trust score, that individual’s score is also more likely to be trusted. Whilst it is relatively easy to create a new social media identity, there are an increasing number of tools designed to score the legitimacy of social media profiles, and this is an interesting and growing area to be investigated.
The secret to success when looking to implement these techniques is to use best of breed packaged applications (where the hard work has already been done), and integrate them together with enhancements to improve quality and user experience. For the financial sector, the winners will be those who can take a holistic approach, and build risk factors (rather than binaries) to balance risk with probability or confidence.
To be effective, this also needs to include a simple enrolment process, life-cycle management and automated workflow. Organisations should also build functionality to correctly calibrate risk engines, in order to create a weighted-risk score which is attributable to each of the authentication factors, and relative to the value of the transaction. For example, checking a balance is a low risk activity – so would therefore have a lower risk tolerance, but a higher step-up authentication would be required for transferring a large sum.
Multi-factor authentication offers a huge opportunity to reduce the friction of modern banking and thus provide the enriched experience that customers are increasingly expecting. This applies to a broad range of financial services providers; not just personal banking, but corporate banking, wealth, asset management, pensions and general insurance. If the customer experience is truly frictionless, then continuous authentication becomes the nirvana.
Unisys will be hosting “Frictionless intelligent banking for a seamless customer experience” with the Biometrics Institute on March 10th 2015. Speakers confirmed so far include Metro Bank, Royal Bank of Scotland, CitiGroup, Lloyds Banking Group, Santander, HM Passport Office, Payments Council and many more. To join us or to find out more information please email firstname.lastname@example.org.