What is strong authentication?

As more businesses in Europe move to adopt multi-factor solutions that comply with Strong Customer Authentication (SCA), we thought we’d explain what strong authentication actually is.

To give a little background, financial institutions and e-commerce platforms in Europe must change how they authenticate users by the 1st January 2021 under the revised Payments Services Directive (PSD2). This change has been driven by a sharp rise in fraud and identity theft.

Simply put, strong authentication is achieved when solutions combine at least two mutually–independent authentication factors, to confirm a user’s identity and grant access to private accounts, systems, and data.

Combating the password threat

Passwords are still clinging onto their place as the number one means of verifying a user’s identity online, but are they still sufficient in protecting users from threats?

With the volume of digital accounts each user has, the number of passwords they have to keep safe, and the steady increase in hacking attacks and data breaches, it’s safe to say passwords have lost their intuitiveness and effectiveness.

What is multi-factor authentication?

Solutions providing multi-factor authentication (MFA) combine at least two independent authentication challenges in order to provide a solution that is more resilient to threats and account takeovers.

Multi-factor authentication solutions integrate at least two of the below challenge factors:

The 3 authentication challenge factors — knowledge (verifying something the user knows), possession (verifying something the user has), and inherence (verifying something the user is).

1. Knowledge challenges

Knowledge challenges verify that a user knows something that no one else does. Common examples are passwords and PINs. In reality, passwords and PINs are readily shared and compromised — making knowledge-based challenges one of the least reliable methods for verifying a user’s identity online.

2. Possession challenges

Possession challenges verify that the user has something in their possession that no one else does. In the context of consumer authentication, proving a user has possession of something is usually done by delivering one-time passwords via push notifications or SMS to a user’s trusted device or phone number. In the workforce, employees could be given swipe cards or USB tokens.

3. Inherence challenges

Inherence challenges verify that a user is something. Essentially this is verifying the unique characteristics and traits of an individual by way of biometric sensors.

Having two mutually independent factors enhances security by enabling an additional security layer. This means that even if one factor is compromised, private accounts, systems and data are all theoretically still protected, so long as the second factor hasn’t also been compromised.

A real-world example of multi-factor authentication is the usage of a credit card (something the user has) with a PIN code (something the user knows).

MFA vs Strong Customer Authentication (SCA)

The European Central Bank takes security one step further and says that to enable strong customer authentication, at least one of the authentication factors must be non-reusable.

A common example of a non-reusable authentication challenge is a one-time authentication code sent to a user’s device, for example, a push notification or SMS token.

One-time codes are by nature less likely to be compromised, making the challenge response more resilient to threats, however, with four out of five SIM swapping attacks being successful, one-time codes are not without risk.

Rather than verifying a user’s identity based on something they know or possess, inherence challenges authenticate users by validating something the user is.

The benefits of biometrics for Strong Customer Authentication

The use of biometrics for Strong Customer Authentication can offer several benefits to the user. Some of these benefits include:

Improved security

Using biometrics for strong customer authentication offers a higher level of security compared to traditional authentication methods like passwords or PINs.

Biometric data is unique to each individual, making it more difficult for fraudsters to impersonate a legitimate user.

Convenient and fast

Biometric authentication is faster and more convenient than other authentication methods, such as entering a password.

Users can simply use their fingerprint, face or voice to log in, making the process quick and easy.

Better user experience

When biometrics are used for strong customer authentication, it provides a better user experience as it eliminates the need to remember and enter a password. This makes the login process smoother and more efficient.

This is especially true when solutions take a multi-modal approach to biometrics.

What is Multimodal Biometrics?

Multimodal biometrics are when a user is authenticated via both physical and behavioural traits unique to them, essentially a form of biometric two-factor authentication.

For example, at Keyless, we leverage multi-modal biometrics, combined with advanced liveness detection and anti-spoofing technology, to verify that a user is who they say they are. This occurs both at the point of authentication and continuously as the user accesses private systems and accounts.

The intuitiveness offered by multimodal biometrics allows our clients to strengthen access control security, without jeopardizing on productivity or user experience.

We also utilise device-identity verification, to ensure that each authentication request is launched from a user’s trusted device without needing to send a push notification to the user’s device.

Because of this layered approach, multi-modal biometrics can give companies extremely high assurance that a user is who they claim to be online, without disrupting the user-journey or adding undue complexity.

Implementing Strong Authentication

The deadline for financial institutions and e-commerce platforms in Europe to implement strong customer authentication is fast approaching.

When executed properly, strong customer authentication should not disrupt the user experience or make authentication more challenging for the user. Instead, strong authentication should enhance employee and customer experiences while protecting your company from privacy and security threats.

Keyless passwordless solutions are PSD2 compliant and designed to seamlessly integrate with existing security and identity management infrastructure so that you can quickly deploy biometric-enabled passwordless solutions to your remote workforce and users.