Why are we still using analogue authentication in a digital world?

We’re living in an inherently digital world. So why, asks Callsign’s Ryan Gosling, are we still relying on an analogue authentication technology?

Digital transformation is no longer a buzzword; it’s something that’s commonplace, and a reality for almost every aspect of every business. For issuers, one of those aspects is authentication, and as we get nearer to the implementation deadline for PSD2, there is immense pressure in the industry for businesses to get their digital houses in order.

As well as the technical side of the implementation, it also means that they need to address the ‘softer’ aspects – making the necessary changes to customer journeys and communicating those changes to minimise the impact on those customers.

And that’s something of a challenge when their existing authentication methods are anchored to a technology, that’s not only out of date, but severely unsuited to the task.

The elephant in the room

The over-reliance on out-of-band (OOB) mechanisms such as tokens or SMS OTPs for 2nd factor possession authentication is a pain point not only for businesses, but also their customers. It has long been a staple of 2FA for the banking infrastructure, but it’s also one that has become increasingly unsustainable.

Aside from the costs, which are considerable, OOB authentication represents a massive fraud risk. SMS OTPs in particular are susceptible to a wide range of attack vectors, ranging from malware and jailbroken phones to SIM swaps and more sophisticated SS7 attacks. The SMS channel is also a primary go-to for fraudsters, making it harder than ever to separate the factual requests from the fictional.

Also, any out-of-band authorisation has a detrimental effect on the customer journey, pretty much by definition. Forcing users to interact with a different platform or device in order to authenticate quickly becomes frustrating, assuming they are even able to.

Hardware tokens can easily be lost or mislaid, and SMS OTPs are reliant on the user having a signal and the traffic on the cellular network. This means that they might arrive after a significant delay, or even not at all.

And with the PSD2 window closing, every aspect of 2FA has been under severe scrutiny, and possession factors in particular have been found wanting. The EBA has even clarified that SMS OTPs alone do not represent an SCA-compliant solution, a stance that is clearly a source of concern for any business currently relying on it for SCA or indeed anything else.

The takeaway from this is crystal clear: issuers still need to up their game.

Human behaviour

It should come as a source of relief, then, that a solution exists – and one that businesses can swiftly and effectively implement in a manner that satisfies the demands of both their customers and the regulators.

The advantages of behavioural biometrics as the inherence factor offered by behavioural biometrics have been well established. By passively analysing a user’s unique actions – how they swipe or type, the angle at which they hold their device – they allow a user to be recognised without adding friction to the user journey.

This is reflected by the strong preference across the industry for the robust authentication that results from layering behavioural biometrics with other circumstantial evidence for 2nd factor authentication.

And customers of course have a preference for fluid authentication journeys. OOB authentication methods vastly increase the chances of customers abandoning transactions and can be a contributing factor to user churn.

With convenience taking precedence over loyalty, customers will look to the most simple and secure services to make payments, and will be quick to switch banks if authentication is too painful. The competitive advantages offered by behavioural biometrics are an important consideration.

The right solution at the right time

Support has come from the likes of the EBA and the UK’s FCA, amongst others. That alone is a strong argument for looking to behavioural biometrics as the key to ensuring PSD2 compliance. And with vendors such as Callsign providing an easy-to-implement solution that offers 3FA from a single interaction, it means that issuers can make the deadline without compromising on security, customer impact, or compliance.

PSD2 represents a paradigm shift for payments in the EU. More than that, it’s also an opportunity for issuers to take a long hard look at their existing authentication technologies and to assess whether or not they’re fit for purpose.

And if they’re still reliant on costly and ineffective analogue mechanisms such as SMS OTPs, it’s a chance to make the move to a more robust and digitally effective solution. The industry guidance is clear, and the solution exists, taking care of the why and the how. All that issuers need to decide now is the when.

About Ryan Gosling

Ryan Gosling is the Commercial Director at Callsign, covering the UK market with a particular focus on providing SCA solutions, and helping customers prevent APP fraud.

Prior to Callsign, Ryan spent 10 years in Banking, including digital fraud & security at Lloyds Bank – delivering initiatives to improve the bank’s authentication strategy for 15 million customers, and reducing fraud losses.

He also spent a number of years in fraud operations, where direct involvement with customers reporting fraud gave him valuable insights into the techniques fraudsters were using; a very grounding experience that created the career motivation to protect customers from fraud.

About Callsign

Callsign has a simple vision: we want to make digital identification seamless and secure. Our unique positive identification approach balances high security and user experience, allowing customers to interact online safely, with minimal friction, while ensuring that bad actors are blocked to protect customer’s identities and business interests.