The express lane on a highway
PHOTO: Adobe Stock

According to Javelin Research’s annual report, "Identity Fraud Study: The Virtual Battleground,” account takeovers increased by 90% from 2020 to 2021, growing to an estimated $11.4 billion in losses (roughly one-quarter of all identity fraud losses that year).

An account takeover occurs when a hacker gains unauthorized access to a compromised account.  The purpose is to gain access to the data associated with that account, such as names, addresses, emails, even banking information.

From a business perspective, account takeovers make authentication a larger issue than ever before. Authenticating or verifying the identity of users is what ensures products and refunds go to the correct people. But if you create too many verification hoops for customers to jump through, it could mean losing them to competitors.

For instance, customers don’t want to re-authenticate their identities during interactions when transferring from a bot to a human or a bot to another bot. They want a simple, straightforward experience.

Consider the four ideas below if you want to authenticate customers with relatively little friction.

1. In-Journey Authentication

Organizations that want to strategically balance safety and customer experience should look to authentication, said Christopher Schnieper, LexisNexis Risk Solutions senior director of fraud and identity.

They should also understand the risks present in the customer journey, he added, “which can range from checking the balance of an account to making an infrequent high-value purchase.”

Schnieper added that companies should bring the authentication capability to where the consumer is in the journey.

“An example of this would be to deliver app-based authentication when the consumer is in the organization’s app. Alternatively, the organization could utilize a text-based authentication if the consumer is on a mobile web browser. This way, an organization can match the interaction with the right amount of friction for each consumer and commensurate with the risk of each transaction.”

According to Schnieper, organizations can use the digital footprint of a returning customer to determine the device being used — mobile device, laptop, desktop. They can also use details like IP address, tenure of the device or email associated with the identity to reduce authentication issues when someone logs in.

Related Article: Evolving CX Demands a Connected Customer Journey

2. Call Risk Scoring

Telephone companies collect large amounts of metadata from phone calls, including:

  • The type of phone (smartphone, VOIP, landline)
  • The phone numbers you call
  • The phone numbers that call you
  • The duration of calls
  • Your location

This information, when combined with AI, can provide some basic authentication, said Dan Raup, Verint senior director, strategic business development. With this system, each interaction is labeled as green, yellow or red, with a green designation requiring only one additional authentication factor, such as the last four digits of an account. Yellow requires two additional factors, and red requires several more or faces rejection.

Call risk scoring also uses STIR/SHAKEN authentication standards to provide a secure way to validate caller ID. The Federal Communications Commission requires most telephone carriers to comply with these standards to suppress the onslaught of spam robocalls, particularly those from foreign locations.

3. Voice Biometrics

What companies have not done well, according to Dan Spohrer, Verint vice president of product strategy, is set expectations about authentication.

According to Spohrer, companies should match levels of authentication commensurate with the value of the transaction. For example, a $10 transaction might only require simple verification, while a larger transaction would require multiple factors.

But there are ways companies can obtain multiple forms of authentication with relatively little friction, such as voice verification. “There are two basic types of voice verification,” Spohrer said. “Active voice verification requires you to say a specific phrase like ‘my voice is my password.’ Passive verification lets you just start talking, then authenticates [or doesn’t] you in a couple of seconds.”

Active voice biometrics is a slightly more intrusive customer experience, said Spohrer, because it asks the caller to repeat a specific phrase. 

Both types of voice biometrics require the customer to enroll in the company’s voice authentication program. When they say their password into the phone for the first time or talk randomly, it creates a voice print for future verification purposes.

Related Article: How Will Conversational AI Transform Customer Experience?

4. Behavioral Biometrics

“The balance between risk management and optimal customer experience is difficult to strike, and the risks are great,” said Raj Dasgupta, BioCatch director of fraud strategy.

“Everyone has experienced declined transactions, stepped-up authentication such as SMS verification codes, phone alerts and waiting on hold to speak with a customer representative. While customers generally understand the purpose of these inconveniences, often individual circumstances can cause them to grow frustrated.”

Behavioral biometrics leverages machine learning algorithms to analyze the physical and cognitive behavior of users across digital channels, Dasgupta said. The model looks at real-time physical interactions such as keystrokes, mouse movements, swipes and taps, looking for behavioral anomalies and patterns associated with genuine and fraudulent activity.

“Continuous authentication using behavioral biometrics is like an authentication express lane,” Dasgupta added. “Companies can make smarter decisions about when to introduce step-up authentication, leading to seamless customer experiences. Continuous behavioral authentication means fewer false fraud alarms and the ability to reserve additional authentication only for truly high-risk situations.”

Final Thoughts

While companies are using various methods for positively authenticating users, there’s one thing they all agree on: simple PINs or passwords no longer provide enough protection. And while most account holders don’t mind some extra authentication, methods that seriously delay interactions can drive them to competitors with easier — and still secure — options.