Whats New in Authentication Technologies for Online Transactions?
Q: There has been a lot of activity in the area of consumer authentication lately. Oracle acquired fraud prevention vendor Bharosa in July, EMC acquired knowledge-based authentication vendor Verid in June. Last year RSA acquired device ID vendor PassMark and risk analytics vendor Cyota, before being acquired in its turn by EMC, while another risk analytics vendor, Business Signatures, was swallowed up by Entrust. What is driving the rush to online consumer authentication?
A: Financial institutions and online retailers are looking at two major areas of concern right now. One is identity theft, the other is fraud. In the financial services industry the catalyst for change comes from guidance issued by the FFIEC (Federal Financial Institutions Examination Council) mandating the implementation of consumer authentication. So today were seeing an explosion of deployment. Its not just in the banks covered by the FFIEC mandate, but also at online brokerages like Charles Schwab, and its beginning to spill over into the online retailing sector too. People really want to get a handle on these problems.
Q: Is there a difference between online consumer authentication and the methods companies traditionally use to authenticate their own employees on internal networks?
A: Yes. Companies can tell their employees what to do, and make sure that they do it. But they cant force consumers to behave in the same way. When a company hires you, they can hand you a hardware device like a smart card or a token that generates one-time-only passwords and insist that you use it. Or they can even require that you use some kind of biometric like fingerprints when you log on. But consumers cant be regimented like this, so you have to use technologies that are much more unobtrusive. This is a powerful constraint and it is driving a lot of vendors to develop new and creative solutions to the problem.
Q: What are some of the basic choices for consumer authentication technology?
A: Broadly speaking there are two kinds of solutions, which can be deployed together or separately. The most common kind is the risk analytic engine. In addition you are now starting to see a lot of deployment of advanced identity-proofing methods.
Q: What do risk analytic engines do?
A: They try to sniff out fraud based on the pattern of actions a consumer engages in online. This idea has been borrowed from the credit card industry, which has long used transaction analysis to detect fraud. For example, suppose I am an online banking customer of a big bank, and suppose I normally engage in simple activities like checking my account balance or setting up online bill payments for routine amounts. Then suddenly one day $3 million passes through my account on the way to North Korea. A risk analytic engine will flag this as abnormal.
Q: Do these risk analytic engines work in real time?
A: Originally you mostly had passive risk analysis that operated after the fact. You would have an engine sitting there combing automatically through a pile of transaction records, and when it flags something a live person in the fraud department will call you up and ask if you really meant to transfer $3 million to Kim Jong-ils cousin. This approach works for most transactions at financial institutions like bill payment or funds transfers, because these are not instantaneous actions. They take a little time to complete, so you still have time to detect fraud and stop it after the fact.
Q: Is there a trend toward making these risk analytic engines more pro-active in detecting fraud rather than working after the fact?
A: Yes. Now that deployment of these risk engines is becoming more widespread and beginning to move from just online banking to a broader range of online retailing, there is a desire to make them more active. One way to do this is for the system to issue a real-time challenge to the consumer for some additional online or offline authentication when an unusual transaction occurs, instead of bugging the consumer with a phone call two days later. This challenge will involve some form of identity proofing, which is the second major area companies are investing in after risk analytics.
Q: This technology sounds pretty complicated. Are there any standards for risk analytic engines?
A: No. This is pretty much a dark art right now. The solutions that the vendors are proposing are completely proprietary.