Lisa McFarland, executive vice president and chief product officer at Ingo Payments, told PYMNTS that authentication across digital channels requires a multi-pronged approach.
At a high level in the digital age, as parties interact and transact online, “there’s the desire to know that you are, in fact, interacting legitimately,” she said. “… And it gets more complicated all the time.”
McFarland’s observations — as part of the “What’s Next in Payments: Authentication: What’s New and What’s Next?” series — took stock of the challenges firms face in striking the right balance between security and convenience online.
The fact remains that fraudsters have become adept at using the anonymity of the internet, and the proliferation of sensitive data on the dark web, to their own benefit. Social engineering and other scams cloak bad actors in the guise of legitimacy, and enterprises, merchants and financial institutions find it hard to ascertain that someone is who they say they are.
A decade ago, the password may have been a sufficient gateway to identification and security — a simple form of knowledge-based authentication that could be used across all manner of commerce, she said.
“We’ve all learned the hard way that the password is no longer sufficient,” McFarland said.
On the consumer side of the equation, passwords are a less-than-optimal means of authentication, as they are easily forgotten or often must be updated, which introduces friction into the experience.
What’s needed — and what’s been underway long term — is the addition of other sources of data to authenticate and identify the people and entities. That multi-dimensional approach can take several avenues, such as by adding devices, biometrics and other lines of identification.
McFarland stressed that any one of those additions will not be enough. A biometric authenticator, for example, is accessible only after a password is entered; a fraudster with access to that password or device will be able to initiate fraudulent transactions or impersonate a legitimate user.
A multifactor approach, she said, “can offer sufficient credentials to get to a level of certainty for a given transaction.”
Higher-risk transactions — with higher dollar amounts, for example — may demand even higher levels of intervention or examination (such as geolocation of a device or IP address) of friction injected into the mix.
Asked by PYMNTS about whether there’s an optimal level of friction that can be introduced, McFarland said that all parties understand why, when and how stepped-up authentication might be introduced, which entails reaching out to consumers and level setting their expectations.
Against that backdrop, McFarland said, the added friction “reflects positively on the business” that has been upfront about protecting consumers, their money and their credentials.
There’s a long road ahead toward triangulating various tech-driven data points such as biometrics and device-level analytics. McFarland noted that many firms are still reliant on passwords in part because they are still grappling with legacy tech stacks. Partnerships with firms including Ingo Payments can help offload some of the technical heavy lifting to help embrace more robust authentication methods.
In the meantime, the password will prove to be a sticky presence in commerce, even if it won’t be — and indeed should not be — the sole source of authentication.
“I don’t think that knowledge-based information will be gone entirely,” McFarland told PYMNTS, adding that it has “its advantage, at least in terms of multifactor authentication.”