The dictionary definition of trust, according to Merriam-Webster, is the “assured reliance on the … truth of someone or something.” In today’s digital world, trust can be a tricky concept. To do business online, whether you are a bank, retailer, insurer, airline or anything else, you must have some degree of trust in your user — trust that they are who they say they are and not a fraudster or malicious bot attempting to steal money or data. But building trust in an online or mobile user can be more difficult and nuanced than it appears. It requires both identification and authentication.

The Truth About Identity

We can think of the “truth of someone” as their identity. The first step toward understanding a digital user’s identity is known simply as identification. This is just the ability to uniquely identify a user. It is the process by which a user makes a claim about who they are. A user could identify themselves with their full name or an account number, or an identity claim could be as simple as a username. In many cases, such as when opening a new account, this identity must be provisioned or proved initially.

Identification Is Not Authentication

Identification alone, though, is not enough to establish trust in any given digital interaction. Just because you tell me your name is Sam doesn’t mean I should believe you. Certainly, I shouldn’t give you access to Sam’s life savings based solely on that interaction. Trust is an assured reliance on that claimed identity. Assured reliance comes in the form of authentication. Authentication is commonly defined as the ability to prove that a user is genuinely who they claim to be.

There are many ways to authenticate a user. The most commonly used form is likely the password. We often consider a password as “something you know.” That is, a piece of information that only the true owner of an identity would be aware of. Unfortunately, in today’s world, that’s rarely the case.

When a user opens a new online account, they are likely to reuse a password they already have. It makes sense why: At a moment’s notice, a user might need to recall the password for any of around 90 accounts. This can lead to password fatigue, and customers may devise workarounds and ad hoc solutions to help keep things simple. But this can also sacrifice security.

Authentication Strategies for Today

This is where other types of authentication come into play. Strategies such as multifactor authentication (MFA), passwordless authentication and adaptive authentication add layers of analysis to the authentication process, making it significantly more difficult to circumvent. Multifactor authentication requires additional factors that support the user’s identity claim. In addition to something they know, such as a password, the user also needs to prove something they have, such as a device, and something they are, such as a biometric.

Passwordless authentication, on the other hand, leaves out “something you know” entirely. Instead, it uses contextual data against a digital trust framework to help you make decisions about how much to trust the user. This contextual data can be information about the user, the device, the user’s activity, behavior and network environment. The more layers of information that can be added to this analysis, the digital trust can be established, without the frustration of password based authentication.

Fraud Detection: The Flip Side of Authentication

Passwordless authentication brings into play the flip side of authentication: fraud detection. In addition to assessing an identity to prove that a user is who they say they are, organizations should also consider the probability that a user is not who they say they are. Fraud detection, suchh as authentication, should be multilayered. Part of the contextual analysis of a user or device should include looking for negative identifiers — whether the user is a person or a bot, whether the device is rooted or jailbroken, whether the user has malicious malware installed, etc. Understanding the risk involved with a digital user or interaction influences the level of trust in that identity.

Identity, Authentication and Digital Trust

In the end, modern organizations require a strategy that encompasses identification and authentication to build a foundation for digital trust. In better knowing the user, including the full context behind their behavior and interactions, businesses can enable better customer experiences without sacrificing security.

More from Fraud Protection

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today