The Future of Authentication

By Jonathan Vaux, Executive Director of Innovation Partnerships • Visa

December 13, 2017

We live in an age where biometric authentication capabilities have become integrated into the very basic functionality of the products and services that we use every day. Everyday use cases range from airport security using iris scanning to cars using voice recognition and, of course, two of the most popular new phones on the market use facial recognition to launch the device.

At a time when technology is advancing at such a rapid rate, online and digital merchants are also focused on removing transactional friction to improve the customer experience. As consumers increasingly engage in digital commerce, it is important that regulation facilitates enhanced payment security and a more streamlined retail experience.

Digital checkout has become an increasingly invisible feature for many consumers with merchants investing time and resources in creating a rich customer experience that reduces cart abandonment. This is why SCA (Strong Customer Authentication) has been one of the key areas of concern for Visa in developing responses to PSD2.

It will be a great shame if many of the fantastic innovations that merchants have embraced to optimise the customer experience are abandoned if they are forced to revert back to less customer-centric methods.

One of the key drivers of this threat appears to be a lack of common industry understanding of the underlying principles that have driven the advances in authentication. Traditional authentication has been binary – does your card number match your PIN or your email match your password for example. This has been commonly referred to as the 2-factor match of something you have to something you know. The stumbling block arose when someone added biometrics as “something you are” – this fundamentally misrepresents how biometrics work. Biometrics are not binary – they are a scoring system that help provide a determination and link to other data points (most probably your mobile device). Biometrics are undoubtedly part of an optimal approach to authentication but need to be part of a rounded approach that uses multiple technologies throughout the customer journey.

The key advances have been driven by innovators using data about the customer to build a historic profile and a set of digital “breadcrumbs” that create a set of patterns that can provide a likelihood that you are who you purport to be. The data will preferably come from a wide and historic set of points. By matching the features of a transaction to those data sets presented at the time of the purchase, it is straightforward to carry out an assessment of the likelihood of the veracity of the person being who they say they are. These algorithms will become increasingly sophisticated and accurate as smart data scientists continually develop and incorporate new data sets so that the analysis can become not only reactive but predictive. It’s also really important to better understand the importance of registration – certain “anchor” data attributes such as my name, date of birth or passport number will require much more stringent set up procedures compared to the registration of my biometric on my phone.

This also demonstrates how authentication has moved from being a static, single transaction (with each transaction being treated as if it’s your first) to a system which is constantly evolving and able to be contextual in its response depending on the nature of the transaction. If I’m buying the coffee at the same coffee shop every morning surely the authentication process can be less invasive than my first high value purchase at an unknown merchant? As we see increasing usage of services such as Amazon Dash, more transaction types will become commoditised and will probably require such contextualisation in approach.

One of the key technologies many commentators are proposing to solve these challenges is Digital ID. While I understand this approach, I worry but that, like wallets or token, players will treat Digital ID as though it is a physical “thing” and will attempt to win a battle for supremacy in being the primary provider of the service. Digital ID also risks reinforcing binary procedures that drive incremental steps in search of a yes/no decision. People today have multiple Digital IDs – their various apps, their Amazon, PayPal or OS account etc. The answer is unlikely to be having a single primary Digital ID, but instead the ability to leverage the data and attributes of those digital persona to allow the consumer to passport the necessary data where needed- for example, provisioning payment credentials into the multiple apps that may sit on my phone or O/S.

As the Internet of Things evolves into more widespread usage and more and more everyday items become connected, the challenges of traditional 2 or 3-factor binary authentication approaches (and the completion of that process on a transactional basis) will become increasingly limiting. Using customer’s data attributes to enhance the provisioning of payment credentials and then linking them to the customer’s personal commerce ecosystem (their devices, their financial and commerce relationships) will be the most logical method of authentication. This is the natural extension of the great strides many of the key players in the digital commerce space in using data learning to constantly improve their understanding of their customers’ spending behaviours and using that data to balance security and strong customer experience.

The key determinant of success for this approach will be the ability to enable wider access to the data, which currently sits in diverse and separate “silos” with each customers’ various commerce relationships. Regulation that promotes the move to Open Banking will drive this change but also need to be considered in context with other relevant regulation such as the General Data Protection Regulation. The success of many fintech players who use data aggregator services as the base for their offerings provides ample evidence that many customers will willingly provide that permission when they deem the service sufficiently valuable.

It’s therefore critical that our industry quickly takes a holistic view of the underlying principles of a successful approach to authentication – data and intelligence-driven, risk-based not binary, contextual and constantly connected to the multiple digital personas we all possess.

Share this post

Like this post