Jason Paguandas, vice president and general manager, merchant security and fraud at Carat from Fiserv , told Karen Webster that while the technologies may be changing, the password is still stubbornly in place, and for a reason. Paguandas also outlined some key principles guiding the authentication of payments and commerce.
“Authentication is the moment of truth for a customer,” he said, determining whether a merchant or financial institution (FI) can or will proceed with a transaction — or require more verification from the individual.
The problem is that a single bad interaction online can send a consumer to a competitor, after bristling at being prompted to prove themselves again and again, or after a transaction is flat-out denied.
“In most cases,” said Paguandas, “anomalous behavior is what causes that step up,” which should occur infrequently (a 1% challenge ratio should be ideal, he said).
“Because of the vast amount of processing ability available today,” he said, “financial service providers can ingest huge quantities of data to make risk based determinations of whether we believe a customer” needs further authentication.
In the digital age — where so much is done anonymously — online interactions can be grouped much in the way we think of traffic patterns: green, yellow and red. Populations that fall into the green category are the ones with which merchants and banks feel most comfortable and don’t need stepped-up authentication.
The yellow category might be well-served by leveraging a protocol like 3D-Secure, which provides additional authentication for online debit or credit transactions, or asking customers to supply SMS codes in order to proceed.
Move toward the red zone, and it makes sense to introduce more factors into the mix, with, say a face ID or even hard copies of documents (as would be seen with an online gaming site, for example).
At a high level, he said, certain principles govern authentication regardless of the technologies being used.
According to Paguandas, “If we are using an authentication mechanism, we should stage that mechanism in a way that is risk based — and it translates to either the value that’s being accessed or the information that’s being accessed by that credential.” The higher the risk, the higher the level of friction introduced in the process.
A multi-layered approach, said Paguandas, is the optimal approach to authentication, and has given rise to biometrics and behavioral profiling.
With those different data points, used in combination, he said, financial institutions and acquirers can get a good understanding of whether a legitimate customer is transacting or interacting based on their behaviors within a digital property.
And, as Paguandas stressed, it is behavioral analysis that often helps identify where and when multi-factor authentication may be warranted. The vast stores of data and analytics as noted above, he said, can pinpoint whether an online interaction is “out of pattern.” A customer who typically transacts via mobile phone, but now opts to use a browser on a laptop may see some additional verification prompts. So might a change in location, such as when a consumer, usually based in the United States, is suddenly trying to purchase something in Mexico.
The United States, of course, is a different market than has been seen elsewhere. Security protocols such as PSD2 and 3DS and not mandatory as they are in Europe.
In the U.S., Paguandas said, “we’re adopting these authentication methods because they reduce friction and lead to an easier customer experience.”
We’re headed toward federated digital identities, he said, linked to the principles of something that’s owned, something that’s known to the customer — and something that they are.
“I think we’ll get to this, hopefully within our generation,” he said. We’re likely to see some government-driven directives surrounding what constitutes a digital ID in the first place, he said, and then, for different types of payment transactions, the levels at which there should be at least some type of authentication.
There still is room for the password, he said, and passwords will prove to be sticky for quite some time. Even as device manufacturers and other entities embrace fingerprint-focused and Face ID technology, passwords are still being populated onto sites — and passwords still have value should other methods of authentication fail.
“You still have to fall back to some credential that a customer can reset or access remotely,” he said, adding that “in the future, where you can access all of your value and your services through one digital ID, you have to take extra care that you are providing that to the right person.”