Karen Webster and Socure’s Ken Allen hosted a digital discussion recently about how the payments and financial service providers should manage the digital identity crisis facing them and reliably authenticate consumers. One framework and 4 pillars later, they offered an approach that might help the ecosystem reconnect with its authentication ego-id-superego.
And as merchants and financial service providers weigh whether traditional methods of consumer authentication have the same power they once did now that commerce has moved online, Allen would give them one piece of advice: They do not.
What Allen means is that the age-old standards of matching a name, address and ID against credit data simply isn’t enough to provide merchants and FIs with sufficient protection against potential fraud. Instead, businesses need to take a layered approach to consumer authentication in a way that accounts for the new data sets made possible in the digital identity era, including factors like social media accounts, emails and even biometrics.
Allen and Webster spent the better part of an hour discussing the best practices for banks and merchants facing the challenges of authentication in a digital age, which Allen says is increasingly determined by behavior.
“Digital identity is one component of the ‘real you’ that’s biometric in essence. Digitally, it’s how we interact, even in person. Behaviors define us; they come together at certain points, and that defines us,” Allen said.
Social interactions and behaviors are becoming the consumer’s identity, their fingerprints, their biometrics, Allen said. But Allen also said that the big problem is determining how to connect all those dots in a space that’s evolving so quickly. Customer interaction habits change fast, and the speed of digital today is nearly immediate. That leaves FIs and merchants with the challenge of having to make accurate decisions fast.
Webster asked Allen: How can FIs or merchants distinguish the data that’s out there, and what actually represents a digital identity that a relying party can have confidence in? Allen says that the answer to that question is about having a model that has adapted to the devices, technology and data that consumers use that are inputs to the immediate verification that’s expected today. Consumers expect their experience to be personalized and secure, but they expect approval to happen fast and without friction.
“The more [that an FI or a merchant] can do behind the scenes passively with a customer using data vendors and then amend that to their decision, the better off they’ll be along the way,” Allen said.
Of course, Webster points out, the notion of authentication of digital identity and verification becomes even more important in today’s ecosystem where real time is becoming a real and expected norm. That means that there isn’t a lot of time to make a good decision, which complicates the equation even more.
“It’s evolving from the merchant space to the banking space much more quickly,” Allen notes in their conversation.
When it comes to breaking down the evolution of authentication, what Socure’s research shows is that, for consumer decisioning, linear simply doesn’t make the cut anymore. Instead, decision-makers must think across multiple pillars: consumer data, behavior, device and payment. And within each of those pillars, there’s multiple aspects to consider, which include:
- Consumer data: Biometrics, phone/email, name/address/SSN
- Behavior: Digital, credit/click-based, in-person
- Device: Tokenized (IoT, cloud), web/mobile, POS
- Payment: Digital wallets, card/bank, cash
“The pillars are what I define as four strategic pillars to build strategy around,” Allen said. “These all define us as individuals. And now, we are moving closer to biometrics.”
Which begs the question from Webster: Are they all weighted equally?
Not necessarily, says Allen.
“Most decisions that have been made across institutions, especially as the card-not-present era came into play, was the making a decision using the data a consumer has keyed in and decided what they are going to buy. You made one decision: How does all this piece together? Then, it’s about collecting and matching data,” he said.
While the payment mechanism used to be the strongest authentication method, that’s since changed in the world of hackers and data breaches, which showed why the payment mechanism alone couldn’t be relied on as the strongest form of authentication.
“Behavior is now coming in as one of the strongest mechanisms to predict the real identity,” Allen said. “If you do enough verification with a person and their data and their associated device and as many pieces you can connect the dots on, you then can start to see abnormal behavior.”
Which is why merchants and FIs can’t just focus on one pillar.
“There is no silver bullet in this framework. At the end of the day, this is a layered approach. How thick or deep that layer is, and which ones you lean on, is different business by business. What this allows you to do is bucket them together to determine if they interact well, and then, they have the stop button if needing to stop it,” Allen said.
In the end, what the real focus is all about is getting as many good and legitimate transactions through the flow and trying to minimize how many people are sent through a more friction-filled process.
Allen contends that the best way to do that it is so take the multiple pieces that support the risks and tolerances that FIs and merchants want to manage that, when pieced together, give them a good indication of how they want to interact with a customer and what then they must do to authenticate them.
“There are a lot of players in the [digital identity] space, and if pieced together, you can have a really good solution,” he said.