It’s hard to imagine life without the smartphone. Mobile devices are now being used to complete the shopping process online and in stores – and 94 percent of us actually sleep next to them. For merchants, it’s that personal connection to the consumer that provides a critical sales channel, and an entirely new way to look at how we authenticate consumers as part of the commerce experience. In a recent webinar, Doc Vaidhyanathan, VP Product Management, Digital Payments at CA Technologies caught up with MPD CEO Karen Webster to get into the specifics on this authentication revolution in an expanding world of mobile commerce.
MOBILE: THE NEW WAY TO AUTHENTICATE THE CONSUMER
The mobile revolution at first began without making a serious splash – gently, with the introduction of the Blackberry and later the iPhone, and consumers began to see the benefits of these technologies. This revolution has since prompted CA Technologies to completely rethink the payments authentication process.
So how does mobility build into authentication? Right now, we think of authentication traditionally as a way of identifying who you are, and its companion is something called “authorization” – figuring out, after your identity is determined, what you’re allowed to do.
According to CA Technologies, there are three main parts to traditional authentication – 1) something that you know, like a password; 2) something that you have in your hand, like a token of some sort that generates a code; and 3) something that you are, like a fingerprint or eye scan.
“The mobile device brings together something that you have, the device, and something that you are, like a fingerprint, and even in some cases something you know, a password,” said Vaidhyanathan. “At one level, the mobile device is beginning to blur the difference between all three.”
So is our mobile device really separate from us, given our close relationship with (and in some cases, reliance on) it?
But what other attributes of the mobile device make it attractive, asked Webster, besides the fact that we’re addicted to them?
What’s so unique about the mobile device, said Vaidhyanathan, is something everyone has. It’s caught the world’s attention in terms of the speed of its global adoption. This device is also their own – it’s not something that’s shared. All of a sudden, their phones can identify them. And most people have just one.
The fact that these mobile devices are not shared creates a huge opportunity in the world of authentication.
“Now there’s one-to-one correspondence between every person and a phone. That’s an amazing thing,” said Vaidhyanathan.
The three ways we can use mobile devices to authenticate include:
1) Authenticating oneself with something else using a mobile device.
2) Authenticating to the device – getting access to the device using a fingerprint or something else.
3) Authenticating through the device – if the person’s bank or enterprise wants to do a voice or facial recognition, for example, the mobile device can be an instrument.
“The fact that there are these three varieties of authentication allows you to mix and match, and create the right level of authentication that you want,” said Vaidhyanathan. The other dimension that you have, he added, surround the types of authentication schemes.
Consumers use several devices during the course of their life, each of which is in some sense giving them access to something. For example, a boarding pass is a method of authentication getting a traveler access to the gates at an airport. Things like boarding passes and hotel room keys are meant to grant people access for one or a few days. Work badges or debit/credit cards, however, are valid for years, and driver’s license numbers are valid for a lifetime, as well as thumbprints.
“The beauty of the mobile device is that one device is able to support all of these things, whether it’s something that will change frequently or last a long time,” said Vaidhyanathan.
THE BUILDING BLOCKS
There are three building blocks to create a credential for mobile authentication:
1) Provisioning and lifecycle management
2) Usage on demand
3) Validation, reconciliation and fallback
“What is interesting about the mobile device is that all of these components can sit in the device itself. It’s not only a credential, but it also includes all three components – that’s a phenomenal situation to be in,” said Vaidhyanathan.
WHY USE MOBILE DEVICES FOR AUTHENTICATION?
The advantages of using mobile devices for authentication include being able to manage the entire provisioning process using the device. The second benefit is something called “multi-mode usability.” A typical credential has only one mode in which it’s used – it’s something that’s scanned, swiped or visual. With a phone, the same thing can be rendered in multiple ways – whether it’s visual, interactive or automatic. Lastly, with a mobile device, there is the ability to retain usage history, which makes a user audit possible.
- Provisioning integration through apps. The same device used through entire lifecycle.
- Multi-mode usability: visual, interactive and automatic.
- Retention of usage history: user audit is possible.
“Traditionally, authentication has been thought of as a way to grant the legitimate users access and keeping away the fraudsters. What mobile and increased mobile usage does is change the paradigm,” explained Vaidhyanathan. "Users ask, if they are prepared to share more information about themselves, can they get access to more things? Can they get faster access?”
By 2018, there will be over 1.7 billion consumers with smartphones, according to a Statista report. User location will become available for authentication. That will make it such that using a fingerprint or biometric technology via mobile device is the standard for security and authentication – it will become “human-factor friendly.”
“What the mobile device will let people do is to continue using their devices when they go to work, to the bank, to the airport, and other places, and the phone will figure out how to authenticate everything it needs to,” said Vaidhyanathan. “It will become easier from a perspective of authenticating.”
Webster then asked, would consumers see having a phone be that tied to authentication and security as risky?
There will be a certain set of people who want to be off the grid, untied from their devices. Mobile authentication and security isn’t for everything – enterprises will accept that some people won’t want it, said Vaidhyanathan. But newer generations – millennials and those coming after them – are born with mobile devices integrated into their lives. They will get more comfortable with this idea of mobile authentication, especially in return for getting certain access and privileges and ease of operation.
According to Vaidhyanathan, new enterprise applications for mobile include:
- Replacing “plastic” badges to open doors, i.e. at hotels
- Proximity authentication via mobile – access to laptops
- Providing “tap and pay” to customers – NFC payments
- Biometrics – facial recognition or wearables to allow access
MOBILE WALLET: THE PROMISED WORLD?
The evolution of the mobile wallet has gone from the process of swiping a “mag-stripe” card through a reader, to inserting a chip card and entering a PIN, to tapping a mobile device like an iPhone 6 at an NFC reader. Largely due to Apple Pay, NFC is becoming the standard for mobile payments.
But in order to use mobile as a payment card, said Vaidhyanathan, the following sub-systems must be in place:
- Provisioning: Personalizing and setting individual card details, verifying user and device
- Making payments: Rapid and easy “tap to pay” experience
- Back-end infrastructure: Authorizing new payment method/messages
To effectively carry out these processes, enterprises can deploy strong authentication solutions like the CA Mobile OTP for Payments.
CA Mobile OTP for Payments
1) Reduce fraud losses
2) Simplify authentication
3) Dynamic OTP technology
4) Utilize across multiple channels
5) SaaS capability
To find out more on how mobile devices are transforming the paradigm of authentication, and to better understand CA Technologies’ alternate choices for strong authentication, view the full-recorded webinar below.