How many phone calls have you taken from businesses in the last month? Maybe you were contacted by your bank, your electricity supplier, even an online retailer. The chances are, every call began the same way – you were asked to confirm your identity.
But there are big problems with authentication today.
It’s one way – often only used by businesses to validate an individual’s identity, and not the other way around. And it’s too simplistic – easy for fraudsters to exploit thanks to the rudimentary processes that many businesses have in place and the difficulties they face in reliably identifying customers.
As our ways of business continue to evolve and become less reliant on in-person interactions, authentication needs to evolve. And fast.
We’ve been looking at ways to make authentication more resilient and more appealing – both for businesses and consumers. Because, if we get this right, we can reduce opportunities for fraudsters and limit social engineering.
We’re currently exploring methods to foster mutual trust – so both corporations and consumers can be reassured by secure but quick and easy to use authentication processes.
There are two approaches we’re investigating, and they can potentially be used in tandem for different scenarios. The first doesn’t require any specific actions by the customer, whereas the second involves a step to be performed by the customer to confirm an organisation’s identity. There are pros and cons for both, and likely there’s no ‘one size fits all’ answer to this problem.
The former model is easier for individual consumers who don’t have a simple way to validate an organisation’s identity or can’t be expected to perform complex authentication (for example vulnerable customers). That could be receiving a call and being able to trust the declared phone number is accurate, or having a trusted directory for telephone or internet interactions. But it’ll require some form of independent monitoring to detect and respond if the model is compromised.
The latter approach obliges one party to confirm a static piece of information, such as a password or similar authentication credential. This method is already used in a crude form today, but it’s often flawed. Individuals forget passwords, and fraudsters can intercept static pieces of information. That’s why authentication needs to be contextual (shifting according to the situation) wherever possible.
Ultimately, what we’ve discovered so far is that different trust models need to be adopted according to specific interactions and scenarios. And the process must be seamless – conducted across the same channel that an individual uses to initiate the interaction.
As we make progress on this journey towards more intelligent and robust authentication, we’ll be delivering updates and news here on the blog.