Create a secure yet frictionless online banking experience

Share this post

Checking that a user is who they claim to be whilst they are online is the fundamental basis of cybersecurity. We’re all used to being authenticated at some point in our online journeys, whether it’s through a password login, or an OTP sent to our phones when we’re attempting to make a transaction.

Why do we need continuous authentication?

The more authentication checks there are during an online session, the more secure against fraud attacks it is, for both the bank and their customer.

This is why Strong Customer Authentication (SCA) is required under EU financial regulation PSD2, where users must present at least two separate factors of authentication.

These factors must come from at least two of the following categories: something the user is (inherence), something they have (possession), and something they know (knowledge).

However, it also follows that the more checks you require the user to go through, the more frustrated and dissatisfied they will become at the process, and the more likely customers are to even give up altogether.


McKinsey reported that during the global pandemic, more than one in five banking customers in Spain and Britain tried online banking for the first time. It’s the same story for retail bank customers around the world.

So, with a huge amount of competition already existing between the many players in this market, and a post-pandemic landscape seeing a huge shift towards online banking and contactless payments, banks cannot afford to lose out now due to a poor online customer experience.


Current ID checks not stringent enough

In addition to the poor user experience that might be created by multifactor authentication (MFA), traditional authentication methods, such as those discussed above, may no longer be rigorous enough to comprehensively protect users from fraud attacks.

Methods of authenticating users, such as the traditional password login, are fast going out of date.


This is for two reasons:

  • Phishing attacks, the most common type of social engineering fraud and the oldest trick in the book, consistently succeed at swindling users out of their login details.Plus, any corporate data breaches can result in the legitimate usernames and passwords of thousands of customers ending up for sale on the dark web. (Read more about this in our blog on passwordless authentication.)
  • Fraudsters are constantly coming up with other, more advanced methods of circumventing the online authentication methods designed to stop them, such as remote access trojans (RATs), which cyber-criminals use to seize operational control of a user’s device after they’ve logged in, or injections of malware mid-session.If a user’s identity is only verified at one-off instances during their online session – at the moment of login or transaction –  this does not protect them against account takeover (ATO), where a fraudster hijacks a user’s account midway through their session using these techniques to avoid the authentication moments.


What is continuous authentication?

By analyzing users’ behavioral biometrics – such as the way a user moves the mouse, the speed and rhythm with which they type and the angle at which they usually hold their phone – a unique profile can be created for every single user based on thousands of parameters surrounding their online interactions and behaviors.

This means that an anti-fraud solution founded in behavioral biometrics can compare a user’s behavior against their entire online history to check ensure that they are who they claim to be.

This analysis can produce a risk score in real time relating to the level of threat to the user or their account’s security.

And by comparing the user’s behavior against their own profile, rather than against clusters of ‘good’ or ‘bad’ users or behaviors, this sort of solution can become extremely accurate to each user, and avoid generating false positives or negatives.

Again, the important idea is that this occurs continuously, throughout a user’s entire online banking session, from login to logout, meaning they are protected them from both ATO or fraudsters attempting to use legitimate, stolen credentials to gain access to their account.


A frictionless user experience

The biggest advantage of continuous authentication for banks is the frictionless user experience it facilitates. The technology delivers passive protection, working behind the scenes to analyze the user’s behavior throughout their entire online session.

There is no active requirement for users to input any information except their login details.

Plus, one of the two factors of authentication required under PSD2 and SCA – in behavioral biometrics’ case, the factor of inherence – is carried out invisibly to the user, meaning the user experience is actually tangibly improved by the introduction of continuous authentication.

And risk scores being generated in real-time means that the level of threat to security can be assessed by the bank, before the level of security and number of authentication checks is altered to reflect the level of threat.

The security can then be stepped up to ensure the user is who they say they are or – importantly for promoting a frictionless user experience – de-escalated, to remove hurdles from the path of a legitimate user, or even to avoid blocking a legitimate user from their own account altogether. And this can all occur during the same online session.


Continuous authentication: dynamic fraud prevention that leaves the user uninterrupted

Continuous authentication facilitates banks’ compliance with financial regulation, is more secure in its protection against fraudsters, and is extremely accurate, as deep learning technology means a behavioral biometrics-based solution can become more accurate every time a user logs in.

With passwords potentially on the way out, the quest for the most frictionless user experience continually underway, and the PSD2 deadline to implement SCA looming, it’s safe to say that the ability to verify users’ identity seamlessly in the background while they’re online is going to be of paramount importance in the not-too-distant future.

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?