The dictionary definition of trust, according to Merriam-Webster, is the “assured reliance on the … truth of someone or something.” In today’s digital world, trust can be a tricky concept. To do business online, whether you are a bank, retailer, insurer, airline or anything else, you must have some degree of trust in your user — trust that they are who they say they are and not a fraudster or malicious bot attempting to steal money or data. But building trust in an online or mobile user can be more difficult and nuanced than it appears. It requires both identification and authentication.

The Truth About Identity

We can think of the “truth of someone” as their identity. The first step toward understanding a digital user’s identity is known simply as identification. This is just the ability to uniquely identify a user. It is the process by which a user makes a claim about who they are. A user could identify themselves with their full name or an account number, or an identity claim could be as simple as a username. In many cases, such as when opening a new account, this identity must be provisioned or proved initially.

Identification Is Not Authentication

Identification alone, though, is not enough to establish trust in any given digital interaction. Just because you tell me your name is Sam doesn’t mean I should believe you. Certainly, I shouldn’t give you access to Sam’s life savings based solely on that interaction. Trust is an assured reliance on that claimed identity. Assured reliance comes in the form of authentication. Authentication is commonly defined as the ability to prove that a user is genuinely who they claim to be.

There are many ways to authenticate a user. The most commonly used form is likely the password. We often consider a password as “something you know.” That is, a piece of information that only the true owner of an identity would be aware of. Unfortunately, in today’s world, that’s rarely the case.

When a user opens a new online account, they are likely to reuse a password they already have. It makes sense why: At a moment’s notice, a user might need to recall the password for any of around 90 accounts. This can lead to password fatigue, and customers may devise workarounds and ad hoc solutions to help keep things simple. But this can also sacrifice security.

Authentication Strategies for Today

This is where other types of authentication come into play. Strategies such as multifactor authentication (MFA), passwordless authentication and adaptive authentication add layers of analysis to the authentication process, making it significantly more difficult to circumvent. Multifactor authentication requires additional factors that support the user’s identity claim. In addition to something they know, such as a password, the user also needs to prove something they have, such as a device, and something they are, such as a biometric.

Passwordless authentication, on the other hand, leaves out “something you know” entirely. Instead, it uses contextual data against a digital trust framework to help you make decisions about how much to trust the user. This contextual data can be information about the user, the device, the user’s activity, behavior and network environment. The more layers of information that can be added to this analysis, the digital trust can be established, without the frustration of password based authentication.

Fraud Detection: The Flip Side of Authentication

Passwordless authentication brings into play the flip side of authentication: fraud detection. In addition to assessing an identity to prove that a user is who they say they are, organizations should also consider the probability that a user is not who they say they are. Fraud detection, suchh as authentication, should be multilayered. Part of the contextual analysis of a user or device should include looking for negative identifiers — whether the user is a person or a bot, whether the device is rooted or jailbroken, whether the user has malicious malware installed, etc. Understanding the risk involved with a digital user or interaction influences the level of trust in that identity.

Identity, Authentication and Digital Trust

In the end, modern organizations require a strategy that encompasses identification and authentication to build a foundation for digital trust. In better knowing the user, including the full context behind their behavior and interactions, businesses can enable better customer experiences without sacrificing security.

More from Fraud Protection

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…

What Are the Biggest Phishing Trends Today?

According to the 2022 X-Force Threat Intelligence Index, phishing was the most common way that cyber criminals got inside an organization. Typically, they do so to launch a much larger attack such as ransomware. The Index also found that phishing was used in 41% of the attacks that X-Force remediated in 2021. That's a 33% increase from 2021. One of the biggest reasons threat actors are increasing phishing attacks is that all it takes is one employee to make a…

Top Security Concerns When Accepting Crypto Payment

From Microsoft to AT&T to Home Depot, more companies are accepting cryptocurrency as a way to pay for products and services. This makes perfect sense as crypto coins are a viable revenue source. Perhaps the time is ripe for businesses to learn how to receive, process and convert crypto payments into fiat currency. Still, many questions remain. How can you safely enable customers to pay with Bitcoin or other digital currency? What are the security risks that come with cryptocurrency? Let’s…

NFT Security Risks: Old Scams and New Tricks

The non-fungible token (NFT) boom has also led to some serious security incidents. For example, the number of suspicious-looking domain registrations with names of NFT stores increased nearly 300% in March 2021. To participate in an NFT marketplace, you must have an active cryptocurrency wallet. This exposes NFT holders to new risks as attackers can find ways into your crypto wallet through your marketplace account. As we’ll see, threat actors have even infiltrated NFT marketplace OpenSea’s Discord server posing as…