The dictionary definition of trust, according to Merriam-Webster, is the “assured reliance on the … truth of someone or something.” In today’s digital world, trust can be a tricky concept. To do business online, whether you are a bank, retailer, insurer, airline or anything else, you must have some degree of trust in your user — trust that they are who they say they are and not a fraudster or malicious bot attempting to steal money or data. But building trust in an online or mobile user can be more difficult and nuanced than it appears. It requires both identification and authentication.

The Truth About Identity

We can think of the “truth of someone” as their identity. The first step toward understanding a digital user’s identity is known simply as identification. This is just the ability to uniquely identify a user. It is the process by which a user makes a claim about who they are. A user could identify themselves with their full name or an account number, or an identity claim could be as simple as a username. In many cases, such as when opening a new account, this identity must be provisioned or proved initially.

Identification Is Not Authentication

Identification alone, though, is not enough to establish trust in any given digital interaction. Just because you tell me your name is Sam doesn’t mean I should believe you. Certainly, I shouldn’t give you access to Sam’s life savings based solely on that interaction. Trust is an assured reliance on that claimed identity. Assured reliance comes in the form of authentication. Authentication is commonly defined as the ability to prove that a user is genuinely who they claim to be.

There are many ways to authenticate a user. The most commonly used form is likely the password. We often consider a password as “something you know.” That is, a piece of information that only the true owner of an identity would be aware of. Unfortunately, in today’s world, that’s rarely the case.

When a user opens a new online account, they are likely to reuse a password they already have. It makes sense why: At a moment’s notice, a user might need to recall the password for any of around 90 accounts. This can lead to password fatigue, and customers may devise workarounds and ad hoc solutions to help keep things simple. But this can also sacrifice security.

Authentication Strategies for Today

This is where other types of authentication come into play. Strategies such as multifactor authentication (MFA), passwordless authentication and adaptive authentication add layers of analysis to the authentication process, making it significantly more difficult to circumvent. Multifactor authentication requires additional factors that support the user’s identity claim. In addition to something they know, such as a password, the user also needs to prove something they have, such as a device, and something they are, such as a biometric.

Passwordless authentication, on the other hand, leaves out “something you know” entirely. Instead, it uses contextual data against a digital trust framework to help you make decisions about how much to trust the user. This contextual data can be information about the user, the device, the user’s activity, behavior and network environment. The more layers of information that can be added to this analysis, the digital trust can be established, without the frustration of password based authentication.

Fraud Detection: The Flip Side of Authentication

Passwordless authentication brings into play the flip side of authentication: fraud detection. In addition to assessing an identity to prove that a user is who they say they are, organizations should also consider the probability that a user is not who they say they are. Fraud detection, suchh as authentication, should be multilayered. Part of the contextual analysis of a user or device should include looking for negative identifiers — whether the user is a person or a bot, whether the device is rooted or jailbroken, whether the user has malicious malware installed, etc. Understanding the risk involved with a digital user or interaction influences the level of trust in that identity.

Identity, Authentication and Digital Trust

In the end, modern organizations require a strategy that encompasses identification and authentication to build a foundation for digital trust. In better knowing the user, including the full context behind their behavior and interactions, businesses can enable better customer experiences without sacrificing security.

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read

How Security Teams Combat Disinformation and Misinformation

4 min read - “A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

4 min read

A View Into Web(View) Attacks in Android

9 min read - James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

9 min read

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

4 min read - While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…

4 min read