Going passwordless: Stage 1 – let’s talk about your behaviour

tl;dr: going passwordless - stage 1 of 3 | authenticate a user on their behaviour across any channel and any device | use it to trigger additional user auth only when you need to | it's quite a lot nicer for your customers | next stop - how to step-up when you need to.
Going passwordless: Step 1 – let’s talk about your behaviour

Earlier, I set the stage for my series of Going Passwordless, as my continued engagement with digital and challenger banks showed indications of having a common goal. With just three steps standing between an organisation being basic and being a legend, I’m introducing Stage One, the first step to becoming a customer hero.

We’re in a vulnerable position.

Someone has picked up your unlocked phone and gone straight into the banking application.

Trouble is, we have no idea who this person is and the only defence we had in place has been removed, i.e. the password…although that password was pretty useless in the first place.

What measures are now in place to protect the rightful owner of the phone & banking account, saving them from being robbed and left with only a fiver in their pocket?

Step one: Behavioural Biometrics

As soon as the application is opened whether by the rightful owner or an opportunistic thief, the behavioural biometric module will begin to record how the end user is interacting with the application. The module will take data from every parameter the phone, tablet or PC has to offer: for mobile or tablet these parameters will be the accelerometer, the gyroscope, how you type and swipe and how much pressure you apply. And on the PC, data from keystroke and mouse dynamics.

Hello omnidevice, omnichannel user authentication

The behavioural module will build a template of how you interact with your application (banking or otherwise) over a short time period using these parameters. Once this template is complete, it will compare live sessions against this stored template to return to the client a risk-based score, an indication of how confident the module is that it is you using the application or not. Additionally, any sessions returning strong scores will be used to enhance the stored template, so it continues to store the most accurate template of your behaviour.

Goodbye costs, friction and unnecessary security hoops

If the module is confident it’s you, we can look to ‘step-down’ the approach to authentication. This means that unnecessary authentications steps will be removed, which in turn further streamlines the UX and will reduce costs to the organisation, for example by minimising the number of costly SMS OTPs. This applies especially when you want to complete low-sensitivity, daily banking transactions which should not require an excessive amount of jumping through authentication hoops – like transferring ten quid to my housemate, or paying the cleaner.

Be a bit more flexible

Security must step up when the sensitivity of the transaction increases – for example if I wanted to send a large amount of money somewhere or if I wanted to change sensitive information like an address. Furthermore, if the module at any point is not confident it’s you using the application, what happens next? How do we clarify who it is on the end of the handset?

Have I just beautifully segued into STAGE 2?

Yes, yes I have. Stay tuned to read the second simple step, or drop me a line to discuss the world of digital, challenger and neo banks.

AimBrain - Simply Smarter Authentication