What is multi-factor and risk based authentication?

November 9, 2020

As more and more organizations undergo digital transformation, employees and customers all need continued access to critical systems and online data. Remote employees, online users, and external partners are just some examples. While this increased connectivity makes things a lot more convenient for customers, and increases productivity in your organization, it also creates new avenues for cyberattacks and security breaches.  

Businesses have a responsibility to protect their customers’ data just as much as their own employees and operations. To safeguard this and comply with safety regulations, it’s important to leverage the right technologies for cybersecurity. One of the most important ways to do this is to enhance your authentication systems from simple password-based authentication to multi-factor or risk-based authentication. 

Read on as we take a look at both types of authentication solutions, relevant technologies, and analyze which might provide the best benefits for your organization. 

What is multi-factor authentication? 

Multi-factor authentication is a method that requires a customer to provide more than one verification factor to gain access to an account, VPN or application. It typically consists of additional login requirements after asking for a username and password. The additional steps could include numeric codes, biometrics, or security questions. By involving multiple authentication layers, the systems remain secure even if one of the authentication factors is compromised.  

There are various types of authentication factors used in multi-factor authentication, including: 

  • Knowledge factors. These factors, also called knowledge-based authentication, typically include a password or an answer to a secret question. 
  • Possession factors. The customer must have something specific with them to log in with, typically a hardware device such as a security token or a mobile phone. 
  • Inherence factors. These are the factors used in biometric authentication (i.e. Biological traits of the user). They include retina and iris scans, fingerprints, hand geometry, facial recognition, voice recognition, and more. 
  • Location factors. The user’s current location is used as an authentication factor. The location is typically detected using GPS.  
  • Time factors. The current time is sometimes considered as a factor for authentication. It’s often used in conjunction with the location. For example, if an ATM card is used in America, and then in Russia a half hour later, it’s flagged as suspicious because it’s physically impossible. 
  • Behavioral factors. This includes behavioral tendencies unique to the user such as typing speed, finger pressure on the keypad, voice intonation, etc. It is usually considered less intrusive and more secure than physical biometrics. 

Multi-factor authentication makes a system much more secure than a single-factor password authentication, thus helping protect a customers’ data better. But if you always require your customers to go through several layers of authentication before they are able to log in (also known in the industry as friction), it can significantly hinder the customer experience and lead to frustration or loss of customers. Risk-based adaptive authentication can offer a less cumbersome experience but act as an equally secure alternative. 

What is risk-based authentication? 

RBA (risk-based authentication), also referred to as adaptive authentication, is a process in which varying levels of strictness are applied to the authentication process. This is based on the probability that a given system might be compromised. RBA authentication involves the calculation of a risk score for any access attempt in real-time. Users are given authentication options appropriate to the score. So, as the risk level increases, the authentication process becomes stricter and more restrictive. 

Traditional authentication systems are static and do not vary. On the other hand, risk-based authentication is dynamic. It can be categorized as user-dependent or transaction-dependent. In user-dependent RBA, the same authentication is used for every session initiated by the respective user. Transaction-dependent RBA depends on the situation, and the authentication level depends on the risk potential of the transaction. For example, if a user accesses their account from another country, they might be asked to complete additional steps to login to their system. 

Common criteria for risk assessment include the location and IP address of the user, login device, number of login attempts, and behavioral factors, such as how fast they’re typing and whether they’re acting out of the ordinary. Risk-based authentication, which includes behavioral biometrics as criteria for risk assessment, is the best way for organizations to protect customer data. It allows for maximum security with minimal interruption to the user experience. 

Benefits of risk-based multi-factor authentication 

Risk-based authentication has several benefits. These include: 

  • Better user experience with heightened security
  • More robust defense against fraud
  • Regulatory compliance

Better user experience with heightened security. Fraud is increasing so there is an increasing need for stronger security and authentication systems. But customers expect a seamless experience and their patience for complicated security measures is low. If too many authentication layers are added, users will get deterred by the extra steps. 

Security systems have to be strong while still providing ease. Ultimately, a frictionless user experience will drive growth through improved customer loyalty and retention. Risk-based authentication is a great solution because it can provide additional security while also offering a seamless flow of interactions. Using machine learning and customized rules, only suspicious transactions would need to undergo additional layers of authentication, thereby providing the least intrusive experience for users.

More robust defense against fraud. Modern fraud methods are getting increasingly sophisticated. So much so that a password, however strong it might be, is not enough to prevent fraudsters. Static passwords are easily hacked and are a key cause of cybersecurity breaches. But multiple layers of authentication only cause frustration for users. 

Using risk-based authentication provides a flexible, layered approach. Good RBA systems examine inputs across channels and make real-time decisions about the level of authentication that’s the most appropriate for each transaction. These systems use machine learning to develop an overall contextual view that includes behavioral, transactional, and device-specific data to decide on the risk level.

Regulatory compliance. As fraud methods change and become more sophisticated, banking regulations are also in constant flux, becoming ever more complicated and extensive. They help organizations stay ahead of hackers, but at the same time they are often difficult to keep up with. To comply with all the regulations as they evolve and become more comprehensive, an organization needs to be flexible and adaptable, constantly implementing new security techniques. 

If you have a risk-based authentication system that uses machine learning to better detect and combat fraud, combined with customized rule sets designed to quickly address compliance requirements, it will save a significant amount of time in testing and deployment. 

So, while multi-factor authentication provides a great deal of security, it doesn’t offer such a great user interface and leads to frustrated customers as they attempt to get through all those layers. A great solution to this issue is risk-based authentication, which ensures greater security and a seamless experience for customers. 

Multi-factor authentication technology that's easy to use for companies and customers - Near-field communication

Near-field communication technology, otherwise known as NFC, is rapidly becoming an industry standard for its convenience with consumers and ability to bust fraud better. In more common examples, NFC powers consumers' interactions with point-of-sales systems that accept ApplePay or Samsung Pay making everyday transactions quick and secure. But in recent months, enterprising companies have begun to use NFC technology in linked and layered fraud solutions  to find out someone "is who they say they are" within seconds. 

The benefits of NFC?

  • False positives and negatives don’t apply for NFC, as the technology depends and works with a data certificate that's embedded in a device or document.  
  • NFC data extraction is 100% accurate adding to increases in conversions. Regardless of the support of certificates for a country, there is a clear authentication response as the logic is based on standards and data, meaning, there's no gray area in a prospective user's authentication results.  
  • A contactless and quick UX means more happy customers. With a simple tap, NFC connects consumers and companies' information together for quick and contactless interactions. And with many consumers in a recent PYMNTS survey saying they want "contactless experiences with their banks," NFC is positioned to give customers what they want while being a secure, multi-factor authentication method for counter-parties.

In summary, a modern approach to creating a robust, risk-based multi-factor authentication workflow would be to include NFC technology. Overall, NFC is a unique solution as its lower friction for customers - for people who want, think and act mobile first. By introducing NFC within an intelligently orchestrated workflow, there's more fraud prevention and multi-factor authentication steps that don't come as friction to a customer.

Learn more about NFC authentication technology here