The Truth About Multifactor Authentication: More Is Not Necessarily Better

March 4, 2019

The European Union's Revised Payment Service Directive, better known as PSD2, raises the bar for "strong" security by mandating three-factor authentication, not just two. It's food for thought because it begs the question, why stop there? We know that one factor is not enough, but is the risk of fraud going to drive us down the path to four, five, n-factor authentication? Taken to its illogical conclusion, there is no end to the demand for additional factors.

Luckily, the need to provide fast response and a pleasant customer experience at an affordable cost already places constraints on the mad rush to add authentication factors.

A quick trip down memory lane (or is that security avenue) reminded me that my first real experience with two-factor authentication ('2FA') was when I used my bank card at an ATM. At the time, it didn't occur to me that I was authenticating with something I had (first-factor, the card) and something I knew (second-factor, the PIN), but that's what it was. Yet today the combination of 2FA has proven powerless against the rising tide of fraud in the physical world (where cards have been spoofed and four-digit PINs have proven vulnerable) but even more so in the voice, digital and online worlds where procedures to authenticate "card not present" transactions are either cumbersome, or ineffective.

Response to the inadequacies of 2FA has been dramatic. Exponential innovation has been witnessed globally in the domain of 'Intelligent Authentication' (IAuth). Of necessity, it spans Identity, Verification and Fraud Prevention and encompasses an ever-increasing range of biometric modalities such as Voice, Face, Behavioural, and the list continues to grow to accommodate a variety of on-device or endpoint sensors (smart phones, intelligent appliances, connected cars, etc).

Number of Factors is not the most important Metric, Fraud Loss Reduction Is

So back to 2FA, and Multi-factor authentication ('MFA'), where the core strength lies in the independence of the factors and methods being used. The total solution is only as the good as the sum of its parts. Every effort must be made to ensure that these individual parts be best-in-class, and continually compete against each other for improved performance, cost and UX. This is a strong argument for selecting solutions from vendors who have a proven track record of providing enterprise-grade solutions, with ongoing investment in continually innovating against supremely inventive fraudsters

Embracing The Best, Not Just The Most

The contact centre is at the core of omni and opti-channel Conversational Commerce and Intelligent Assistance. It is, very importantly, also the last resort for supporting digital and other channels. Consequently, the contact centre has become the most targeted area in the life-cycle of a fraud attack; either for a direct pay-out such as account takeover fraud, or even in the build-up for another channel attack, such as a password reset for an online account. As fraudsters engineer their attacks across multiple channels, it is imperative that MFA solutions are also omnichannel, and are able to integrate easily into the contact centre environment, without being limited to specific network, geographic and language constraints. Moreover, they should be totally passive, so the customer experience will be seamless. Voice biometrics is the best solution for this task.

Without the risk of fraud, there would be no need to authenticate users. Sadly, this is not the case, and fraud attacks can emanate from anywhere, on any device, through any network, at any time. The ultimate goal of all these technologies, multi-layered security architectures and MFA is to reduce fraud. Merely adding factors does not equate to reducing fraud loss.