Authentication, Privacy and our Digital Future

Share this post

Authentication Is the Key to the Digital World – Making it Frictionless and Private will be the next Evolution Online

Everyone uses countless online services and digital products. For each of them the first step is to prove that you are who you say you are. Both you and the business serving you don’t want an interloper or fraudster using your identity, payment method or credit. This is the question that sits at the heart of #authentication, and answering it properly underpins our online existence.

Authentication is the cornerstone of a system allowing billions of people to access products and services in the #digitalAge. Whether it’s logging onto Facebook, paying your taxes virtually, buying a phone on Amazon, or subscribing to Netflix – it requires a form of real-time authentication.

Many solutions have appeared in the past two decades since online sales and payments were born to secure and verify both the ability to make a #payment and user’s #identity. This process reduces risk by proving that the transaction is legitimate and keeping your data secure. It’s a crucial safeguard against #fraud, defending against organised crime, money laundering and illegal practices.

Consider for a moment that in the USA up to $8 billion has been stolen from the National Covid Relief Fund. This was done by fraudsters claiming to be people they are not. Think of postal voting scandals and voter registration, you begin to see just what authentication means for our future.

As the ongoing #Covid-19 pandemic has pushed our professional, leisure and retail activities further online, authentication has become an even more critical process in everyday life.

Growing need to authenticate online transactions

The recent explosion in online shopping, Buy Now Pay Later, #neobanking, and remittance payments increases the need to authenticate accurately including for Card-Not-Present (CNP) and crypto transactions. Similarly, with large chunks of the working population moving to remote working, businesses are pressured to verify the identities of employees accessing company networks.

In fact, 71% of UK business decision-makers believe that the shift to #WFH during the COVID-19 crisis has increased the likelihood of a cyber attack, with 46% noting an increase in phishing attacks since #lockdown (see Raconteur). Again, authentication and digital identity, along with #cybersecurity, are essential.

The online payments boom has led to new regulation to manage the massive fraud (more than £25 billion per year in direct losses). In addition, criminals successfully stole £1.8 billion in 2018 through phishing and scam attacks (see UK Finance).

In the EU and the UK the deadline is approaching in 2021 when the new PSD2’s Strong Customer Authentication (SCA) requirements will make two-factor authentication (2FA) necessary for all CNP purchases over €30 in Europe and £30 in the United Kingdom (unless exemptions are in place thanks to specific criteria and anti-fraud systems).

There are concerns that the friction in the customer experience created by this could cost merchants up to $100 billion in lost and abandoned sales (see Finextra). This creates an enormous need for streamlined authentication processes. Additionally, “exemptions” could allow businesses to take payments without 2FA depending on their rates of underlying fraud.

Authentication and user data are at the heart of many methods to ensure low fraud rates

Years ago, authentication was kind of like being a member of a club with special rights to resources and transactions. Even as the ability to transact globally became available to billions of people in the 1990s, massive databases of users were built up by major credit and banking interests. This essentially made them the arbiters of who had the right to transact and what rules were in place to manage the identities and entities that were (or were not) in the club.

Later, the chip enhanced card allowed for knowledge of a four digit code to democratise authentication within the “Europay, Mastercard, and Visa” (EMV) system. This system, however, is owned as an association of the top five global card issuers. Today, of 8.2 billion cards in circulation, 75% have a chip. But as we know pins can be stolen, hijacked and hacked.

Now, the online age has brought a wave of user-focused businesses seeking to lay claim to authentication through user data. PayPal, Amazon, Apple, Google and Facebook, among others, offer Single Sign On (SSO) features or complete customer “walled gardens”. These features allow users to make payments or access multiple applications and services through a single set of credentials.

Think of it this way, if you had to give your entire credit history and identity as well as your recent travel and hotel data to an airline before you could fly, would you do that? And yet many companies online now “own” that data and use it to authenticate (and to market you as a product) within their network or partner companies.

Leveraging user data for authentication comes with a cost

As authentication becomes so fundamental to how we engage with the world, some companies are making a claim for it. In fact, it’s part of a long tradition of leveraging user data for authentication. And while the holistic, unified authentication environments these companies offer are convenient for consumers, they come at the cost of user privacy. In addition, user data can be exposed. Last year alone more than 400 million user identities were hacked.

Google sign-in is free of course. But it also tells them at every step what you’re looking at and where your interests lie. But it sure is convenient! Today a true land grab is taking place to be the gatekeepers of #DigitalIdentity, to keep users (and their reliably monetisable data) within proprietary environments. Authentication as such is a “ticket to play” and should be open, transparent and movable. You shouldn’t be forced into a single company’s ecosystem of products and services simply because they hold your data.

As a result, every non-customer is treated as a risk. If you fail to meet their authentication requirements or break a rule by mistake, you can have your card, account or funds blocked indefinitely while you try to prove who you are. This even affects some of the more modern neobanks and payment platforms. The business effectively owns authentication for its users, as well as the personally identifiable data that comes with it.

To put a number on the value of authentication, it is sufficient to look at Twilio, a key actor in the One Time Password (OTP) and 2FA space. Twilio, founded in 2010, convinced key payment players of the gap in the authentication market and thereby realised its potential. It was able to attract investment of $103 million and began buying data companies and companies specialised in authentication, such as Authy, and becoming the global leader in the market worth over $45 billion – that’s more than 45 unicorns!

Behavioural Biometrics as an additional layer of defence

At Cybertonica, we’re building authentication, based on the notion that the process should be risk-based and probabilistic as well as real-time and adaptive. We are using #BehaviouralBiometrics and transactional data, analysed in real-time, to preserve security without sacrificing privacy. This can lead to the establishment of an anonymised (or at least “semi-anonymised”) data profile without collecting any personally identifiable information.

For example, our Behaviour ID™ solution collects device-level behavioural data and automatically generates an encrypted token-based on the values from your device together with distinct patterns from your actions (not your identity). This allows the authentication to become tokenised and therefore independent of your private data.

Behaviour ID powered by ScreenWiZe, Cybertonica

You don’t have to buy into Cybertonica’s ecosystem or services. In fact, most customers we interact with will never have to submit any form or send us any personally identifiable information (PII) data. Therefore, nothing of what we sample can be used for any other purpose.

Imagine a snapchat for identity – once we have confirmed the real-time verification, it is used only to match your future behaviours and then its contents disappear. How can a fraudster then take over the identity of an encrypted real-time phantom of your data? Well, they can not. That’s our whole point.

By knowing and showing less, your transactions are frictionless and your privacy is not compromised. The #merchant receives real-time (in less than a second!) and 99% risk-based authentication and has more happy and safer customers.

What’s more, the user experience is enhanced. And with your permission you can automatically skip the queue and the hassle of #SCA. Overall, online transactions become more secure and stakeholders more confident about operating even across borders or in CNP transactions. We are at a crucial point in the history of authentication. Changing regulatory requirements, the importance of access to health data, and the rapid increase in global online buying are setting the course for the future. That’s why we are working on new products, to make seamless services and low risk part of tomorrow’s digital interactions and transactions. We Trust in Transaction.

Get in touch with our expert fraud team now to find out how Cybertonica can help future-proof your business!

Have you read our blog about COVID-19 fraud, hacks and scams? Read here to find out how fraudsters are surfing the ‘fear-wave’ to attack online commerce and customers.

More To Explore

Membership

Merchant Community Membership

Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.

Welcome

Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?