Risk-Based Authentication Can Improve Customer Experience, Cement Loyalty

Fraud is always evolving, and financial institutions girding themselves against attacks often find themselves in the unenviable position of being, at most, one or two steps ahead of the bad actors trying to perpetrate it.

Increasingly, authentication is a critical weapon in the fight, but finding the right balance between security and convenience has kept many a seasoned cybersecurity or IT leader up at night. There is an ever-present, ever-evolving question: How can we ensure every transaction is legitimate, without frustrating customers who just want a quick, convenient shopping or banking experience?


Andries Maritz, product manager at Entersekt, told PYMNTS in a recent podcast that the sticking point is usually that all the usual authentication methods require the user’s involvement.

“You would need to provide a thumbprint, or type in a PIN or engage in some way with a device,” Maritz said.

It is much better, he says, to deploy risk-based authentication that works in the background. While users are engaging with their devices, the authentication system works to detect a user’s “behavioral signals” — the angle at which the phone might be held, how hard a consumer is pressing the screen and the speed at which they are typing.

Hundreds of billions of these attributes have been collected and are analyzed annually, Maritz continued, creating an abstract model of how a person behaves and forming an idea of what a “typical” transaction looks like.

In a bid to establish a “normal profile” of the user, that data is put in context and monitored to see if any behaviors are raising red flags and deviating from the norm, Maritz added.

“While you can provide your username and password with traditional online banking platforms, now you can see with what confidence the username and password is ‘consistent’ with the user’s normal behavior,” he said.

Such insight helps authentication platforms, such as Entersekt, guard against bot and other automated attacks, giving each customer an immediately identifiable behavioral signature without relying on sensitive, personal data.

“Risk-based authentication helps us to address fraud attacks at a scale in real time, which is very difficult to do without this kind of profiling,” he said.

Keeping the Journey Intact

Importantly, he added, risk-based authentication doesn’t interrupt the customer journey. With the establishment of consumers’ typical behavior, commerce becomes more streamlined.

For example, with an eCommerce transaction, banks can choose to just allow the payment to be approved without the user having to do anything at all, given that there is high confidence that the transaction is legitimate.

“At the transactional level, the institution has a bit more flexibility with respect to how much they want to influence the user journey with active interventions,” Maritz said.

Along the way, he said, institutions can build a “trust relationship” with their users, which in turn cements customer loyalty. Doing this enough times with enough banks sharing data over the same platform can create even more safeguards against attack.

“It’s like being immunized by proxy,” he said.

Toward a Friction-Free Future

Granted, financial institutions looking to deploy risk-based authentication still have to clear regulatory hurdles. For example, Maritz said that in Europe, if firms conform to certain minimum criteria for risk profiling, they are allowed to exempt that transaction from further authentication.

Maritz added that the continued emergence and popularity of eCommerce transactions will also improve risk-based authentication.

As Maritz told PYMNTS, “The additional scale of transactions that’s coming through will create a richer landscape of data for these types of training models to respond to fraud vectors.”