To give a little background, financial institutions and e-commerce platforms in Europe must change how they authenticate users by the 1st January 2021 under the revised Payments Services Directive (PSD2). This change has been driven by a sharp rise in fraud and identity theft.
So as Europe gets ready to adopt strong customer authentication (SCA) solutions that are compliant with PSD2 , we thought we’d cut through the noise to give you a clear breakdown on what strong authentication actually is.
To put it simply, strong authentication is achieved when solutions combine at least two mutually–independent authentication factors (keep reading to learn more about the three factors), to confirm a user’s identity and grant access to private accounts, systems and data.
Passwords are still clinging onto their place as the number one means of verifying a user’s identity online, but are they still sufficient in protecting users from threats? With the volume of digital accounts each user has (and by result number of passwords they have to keep safe), alongside a steady increase in hacking attacks and data breaches caused by compromised credentials — it’s safe to say passwords have lost their intuitiveness and effectiveness when it comes to mitigating unauthorized access.
Solutions providing multi-factor authentication (MFA) combine at least two independent authentication challenges in order to provide a solution that is more resilient to threats and account takeovers.
Multi-factor authentication solutions integrate at least two of the below challenge factors:
The 3 authentication challenge factors — knowledge (verifying something the user knows), possession (verifying something the user has), inherence (verifying something the user is).
1. Knowledge challengesKnowledge challenges verify that a user knows something that no one else does. Common examples are passwords and PINs. In reality, passwords and PINs are readily shared and compromised — making knowledge-based challenges one of the least reliable methods for verifying a user’s identity online.
2. Possession challengesPossession challenges verify that the user has something in their possession that no one else does. In the context of consumer authentication, proving a user has possession of something is usually done by delivering one-time passwords via push notifications or SMS to a user’s trusted device or phone number. In the workforce, employees could be given swipe cards or USB tokens.
3. Inherence challengesInherence challenges verify that a user is something. Essentially this is verifying the unique characteristics and traits of an individual by way of biometric sensors.
Having two mutually independent factors enhances security by enabling an additional security layer. This means that even if one factor is compromised, private accounts, systems and data are all theoretically still protected, so long as the second factor hasn’t also been compromised.
A real-world example for multi-factor authentication is the usage of credit card (something the user has) with a PIN code (something the user knows).
The European Central Bank takes security one step further and says that to enable strong authentication, at least one of the authentication factors must be non-reusable.
A common example of a non-reusable authentication challenge is a one-time authentication code sent to a user’s device, for example a push-notification or SMS-token.
One-time codes are by nature less likely to be compromised, making the challenge response more resilient to threats, however, with four out of five SIM swapping attacks being successful, one-time codes are not without risk.
Rather than verifying a user’s identity based on something they know or possess, inherence challenges authenticate users by validating something the user is.
The benefit of authenticating users via their biometrics is that biometrics are much harder for an attacker to steal or fake.
Multimodal biometrics are when a user is authenticated via both physical and behavioral traits unique to them, essentially a form of biometric two-factor authentication.
An example would be if a solution verified a user’s unique facial measurements (using facial recognition technology), alongside their unique keystroke dynamics (the way they interact with their device).
Because of their layered approach, multi-modal biometrics can give companies extremely high assurance that a user is who they claim to be online, without disrupting the user-journey or adding undue complexity.
At Keyless we combine inherence and possession factors to provide fast, secure, user-friendly authentication that is resilient to common threats including phishing, credential stuffing and SIM-swapping attacks.
We leverage multi-modal biometrics, combined with advanced liveness detection and anti-spoofing technology, to verify that a user is who they say they are, both at the point of authentication and continuously as they user accesses private systems and accounts. The intuitiveness offered by multimodal biometrics allows our clients to strengthen access control security, without jeopardizing on productivity or user-experience.
We use device-identity verification to ensure that each authentication request is launched from a user’s trusted device without needing to send a push-notification to the user’s device. The combination of inherence and possession factors allows for seamless, strong authentication that is resilient to a wide range of threats facing enterprises, while also being intuitive to the user, and minimally disruptive to workflow.
The deadline for financial institutions and e-commerce platforms in Europe to implement SCA is fast approaching.
When executed properly, strong authentication should not disrupt the user-experience or make authentication more challenging for the user. Instead, strong authentication should enhance employee and customer experiences while protecting your company from privacy and security threats.
Keyless passwordless solutions are PSD2 compliant and designed to seamlessly integrate with existing security and identity management infrastructure, so that you can quickly deploy biometric-enabled passwordless solutions to your remote workforce and users.
Keyless™ authentication can help deliver secure, seamless digital experiences for your end-users and for your increasingly remote workforce.
Schedule a tailored demo with one of our specialists to learn more about how our biometric authentication and identity management solutions.
Alternatively, you can email us directly at email@example.com