Authentication can sometimes feel like a balancing act. On one hand, securing your digital experience is a top priority. Preserving your customers’ trust in your services is often key to maintaining a long-term relationship with your brand. On the other hand, in the age of digital transformation, customers also want a simple, easy-to-navigate digital experience.

Too often, security and user experience are at odds with one another. Extra security can mean extra roadblocks on the customer’s digital journey. It’s hard enough to remember all your usernames and passwords. Factor in two-factor authentication (2FA), SMS text messages and more, and you’re very likely to have frustrated users.

Risk-Based Authentication Today

One strategy that can help address these problems is risk-based authentication (RBA). This method involves creating various levels of authentication based on a risk score and built from the risk factors found for each user or activity. In these scenarios, organizations look for users that show anomalous behavior. Perhaps they are using a different device than normal, or accessing their accounts from a different location. In these cases, they will “step up” authentication requirements, only forcing their most risky users to go through the additional step of multifactor authentication (MFA). Then, the remaining low-risk users only need to complete basic authentication steps.

Risk-based authentication is considered an improvement over the alternatives, forcing all users to complete multifactor authentication or having no users complete it. For many organizations, high-risk users make up less than 1 percent of their user population, so there can potentially be considerable savings on operational costs around MFA.

However, RBA strategies still present challenges. Sophisticated attackers may be able to appear as lower-risk users, perhaps using an emulator to mimic a true device. In addition, the vast majority of your low-risk users are still being asked to deal with usernames and passwords — which, at best, can be frustrating to the user experience.

From Measuring Risk to Measuring Trust

What, then, is the alternative? Business leaders must expand their view beyond just fraud and risk detection. A more robust and modern way to address the challenges of security and user experience could be to bring identity to the table, moving from risk scoring to trust scoring. By analyzing both risk indicators and positive identity indicators (behavioral biometrics, user routines, etc.), organizations can understand the context of a user, their behavior, and where they sit on a spectrum of digital identity trust and risk.

The Future of Authentication Can Be Seamless and Adaptive

Trust scoring can allow organizations to build customized, granular options for the full spectrum of user behaviors. The highest-risk users could still be blocked, but those who are only medium-risk could be allowed in with restrictions on what information they are able to access or what size transactions they are able to complete. Low-risk users — those with a minor anomaly, such as a new device — might be asked to authenticate. Highly trusted users — those who are using a known device with behavioral biometric matches — could even be served a frictionless, passwordless authentication experience.

Security, Meet User Experience

So, can authentication hurt the user experience? In many cases, it can — but it doesn’t have to. When done well, with a strategy based on trust that combines fraud and identity indicators, authentication can be a seamless and adaptive experience.

More from Fraud Protection

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

What to do about the rise of financial fraud

6 min read - As our lives become increasingly digital, threat actors gain even more avenues of attack. With the average person spending about 400 minutes online, many scammers enjoy a heyday. Old impersonation scams continue to deceive people every day, as con artists and hackers are armed with advanced technologies and sophisticated social engineering tactics. According to the Federal Trade Commission, financial fraud increased by over 30% from 2021 to 2022, with total losses surpassing $8.8 billion. This ever-evolving threat will continue to…