Humans aren’t great at trading off immediate convenience for protection against possible future threats. The Coronavirus crisis has made this all too evident. As the Wall Street Journal pointed out, at every level of U.S. government and healthcare, people made decisions that prioritized immediate objectives and operational efficiencies, leaving the country woefully unprepared when the pandemic hit.
We all do it. On a less epic level, for example, I feel the natural human skew toward what’s easier, more convenient or more urgent when I go to access shared folders on Box. I know why our Box administrator enabled this added security feature, and it’s the right thing to do. Still, when I have to delay access to input a one-time security code sent via SMS, I feel a slight rub of friction.
Many of us have mixed feelings about convenience and security. Ask yourself how you’d react if a digital service notified you that occasionally, at random intervals or in high-risk situations, you would be asked to re-verify you’re really you by submitting a quick selfie for biometric comparison against the digitized ID you submitted at onboarding?
Hmmm… “A bit over the top,” you may be thinking. Yet this is one of the approaches some companies are considering to counter the surge in account takeover fraud.
Consumers still prize convenience—but they care about security too
Our attitudes toward customer experience and security are complicated.
In the digital age, it often seems convenience trumps everything. In fact, according to a survey conducted by Mitek in 2019, consumers put the top three benefits of establishing a digital identity as: 1. convenience (66% of respondents); 2. speed (49%); and 3. access (31%).
But reliably verified digital identities are beneficial for security as well. Specifically, they’re becoming critical for defending online and mobile accounts against takeovers by fraudsters and the recent surge in identity fraud scams. Javelin Strategy and Research's 2021 Identity Fraud Study: Shifting Angles, shows that in 2020 identity fraud losses totaled $56 billion, with 49 million consumer victims.
Consumers are starting to become more concerned about security. If you compare the Experian’s annual Global Identity and Fraud Report, you’ll see that attitudes gradually shift from an almost complete focus on customer experience in 2017, to a desire for a more balanced approach by 2020.
Experian research also shows that businesses are becoming more aware of how intertwined identity verification and fraud defense have become. In the 2020 report, 84% of businesses said they believe that if they can better identify customers, they will more easily spot fraud. Interestingly, although 95% of businesses claimed they could accurate identify their customers, 55% of consumers disagreed. They didn’t feel confident their providers were accurately recognizing them, a concern that reduced trust.
Businesses are challenged to find the right balance
It’s not easy for businesses to get the convenience-security balance right given the changing attitudes of today’s consumers and changing fraud trends. Some of the difficulty may have to do with how they’ve viewed and handled identity and fraud in the past.
For instance, some traditional banks were accustomed to managing identity and fraud in completely separate ways. They verified identity at account origination, then ran analytic fraud detection on customer transactionals. Different groups within different line of business “silos” were in charge of these methods, with little information sharing across them. That’s a problem because siloed defenses are often blind to schemes that cross lines of business and come into play months after a false identity has been used to open a new account.
Some fintechs and online marketplaces have a different challenge. Intent on rapid customer onboarding to drive growth, they’ve minimized identity verification at account origination, perhaps accepting identities from other digital platforms and services, perhaps running some background authentication processes. Often it’s only later—if unusual transactional patterns indicate fraud or dormant accounts suddenly become active—that more explicit identity verification is invoked. As a result, some companies are letting too many fraudsters onto their platforms, where they pose a threat to other customers.
Other companies in these and other retail industries are taking a more comprehensive and unified approach. For them, identity verification is not just for onboarding. They’re looking at how to extend it throughout customer journeys. They see secure, reliable digital identities as key not only to fraud defenses, but to delivering the hyper-personalized experiences digital leaders are now innovating—and which consumers will someday expect from every company.
Multi-factor authentication for sure—but which factors?
We’re seeing increased adoption of two+ factor authentication for login. Unfortunately, traditional factors, such as passwords or knowledge-based Q&A are still in play, but there’s also an uptick in use of security tokens and SMS codes, physical biometrics, passive biometrics and behavioral biometrics. According to Javelin's 2021 study, consumers now trust fingerprints (66%), facial recognition (63%), and retinal scanning (62%), over traditional one-time passwords (52%) and knowledge-based authentication (43%). (to find out more about the advantages and disadvantages of biometrics, see the blog here).
While there’s growing consensus that a mix of methods, rather than a single “silver bullet” method, is the best way to go, many companies are unsure of which methods to choose.
My view is that choosing the right combination of methods is extremely important—but the right choice is not always going to be the same choice. Instead, I think we’re moving toward adaptive approaches which vary the mix to fit different use cases, risk levels, and customer expectations and preferences.
In many situations, passive methods will be preferable because they minimize friction. At the same time, I think we’ll see more use of active methods, and perhaps not just for high-risk and high-value transactions. Explicit identity verification—like a request for a current selfie—could be invoked if a customer’s online behavior becomes unusual or passive biometrics indicate elevated fraud risk.
The way I think of this new approach is that we’re threading identity awareness through the customer journey, and placing a verification “stitch” at certain points. These stitches could be triggered, as I suggested, in a variety of applications: when a consumers’ ID expires, new regulations requiring more oversight by companies, or even high-value transactions that don't match normal purchasing behavior. They could even be randomly invoked, making it difficult for fraudsters to anticipate and circumvent the added security measure.
For more information about Fraud trends, check out our series of articles.
Mitek Fraud series: Biometrics and Fraud in the COVID era. What's changing? | Identity Verification through the customer journey | The Pandemic blindsided us; will surging digital fraud do the same? | How to fight fraud with data | What is a Deepfake and how does it impact fraud? | Financial services and online marketplaces face shifting fraud landscapes | What is synthetic identity fraud? | What is Account Takeover Fraud
About Sanjay Gupta
Sanjay Gupta serves as Vice President, Global Head of Products and Corporate Development at Mitek. He is responsible for global product strategy across the organization, working closely with engineering, design, marketing, customer support and customer success teams to drive product innovations and ensure solutions meet customer needs. Prior to joining Mitek, Sanjay was most recently Vice President of Corporate Development at Accelrys (Dassault Systems), among other senior level corporate and engineering positions with Lockheed Martin and Corvis Corporation. He holds a Bachelor of Science degree in electrical engineering from the University of Arizona and received his MBA from the Kellogg School of Management at Northwestern University.