Demystifying risk-based authentication

Security Technology Banking
Risk-based authentication
In the physical world, people can be identified in many ways. A particularly tall individual might – quite literally – stand out because they are noticeably different from everyone else. When attending a conference, a name tag could identify someone as a keynote speaker. Nothing here necessarily requires the person to actively do anything to make themselves known. The person’s behaviors or attributes, passively observed while they go about their daily lives, makes them known to others.

In much the same way, risk-based authentication (or RBA) passively authenticates an entity by determining behavioral patterns. The difference, of course, is the method: it’s all done digitally, helping organizations to seamlessly authenticate a user’s journey by collecting various mechanisms and signals.

Entersekt partnered with one of the world’s leading digital banks to offer their customers frictionless #ecommerce checkouts with real-time RBA. Read more about how our integration with NuData Security has made this possible.

Below, Andries Maritz, product manager and owner at Entersekt, identifies and decodes various aspects of RBA that make it a success.

Analyzing consortium data

Consortium data is defined as the set of normal behaviors that make up the “culture” for a particular type of transaction.

When enough people behave in a certain way, those behaviors become part of the identity of that group. Individuals who are consistent in displaying certain behaviors are seen as “normal”. In contrast, someone who behaves differently can stand out.

In business, “consortium” can also be characterized as a group of businesses that share a similar profile and can pool resources so that they can collectively benefit from better insights. For online fraud detection, this means the sharing of data. In the realm of financial transactions, consortium data could refer to specific activities such as 3-D Secure transactions or online logins.

Entersekt leverages NuData Security’s NuData Trust Consortium, which collects more than 650 billion annual events.

If the volume of input data is sufficiently large, then statistical outliers can raise flags to indicate that something is different about a transaction. This type of statistical modeling is one method that can be used to see whether a transaction is typical to how a human would normally behave within that environment. Outliers would signal behavior that is unlikely coming from a human being performing this type of transaction.

“The richness of data provides capabilities that can help with detecting human-driven account takeover, mass-scale attacks, evolving attacks, and even attacks orchestrated by sophisticated syndicates.”

The richness of the data opens many other avenues of fraud detection. Is a credit card being used too often? Is the user traveling vast distances in a short amount of time between transactions? Have the merchants previously been associated with suspicious behavior? The answers to such questions could raise risk signals that could influence a risk profile in both negative and positive ways.

Keeping track of behavioral analytics

When people repeatedly perform the same routine, they develop habits. Habits are behaviors that are learned or developed and can vary based on context. This means that they aren’t an inherent part of who we are. Instead, they indicate what we normally do.

One roommate might have a habit of putting the milk in the door of the refrigerator. Another roommate might be more prone to put the milk back on the bottom shelf after using it. Yet another roommate might not be in the habit of putting the milk back at all. By looking at where the milk is, you can get a fair idea of who the last person was to use the milk.

This requires observing a specific behavior for a specific individual over time. Simply noting the location of the milk, without looking at who placed it there, won’t help in building a behavioral profile for any specific roommate.

“In the digital world, contextual information can be used to build up similar
profiles for an individual.”

An online shopper might have habits too. They could shop from the same three e-commerce sites. One could be frequented on a weekly basis while the others less regularly. The transaction amount could always be below a certain amount and initiated directly from the mobile app.

If, however, a high-value transaction is suddenly performed from a different site and from a browser instead of the app, this deviation could indicate a higher risk and warrant further confirmation.  

Putting behavioral biometrics into practice

Before instant messaging, email or telephones, people communicated via morse code. This technology was used for long-distance communication from as early as 1844, when a message was sent from Washington, D.C. to Baltimore. As operators became familiar with the use of the telegraph, they started to develop their own style.

It wasn’t long before experienced operators could recognize one another simply by listening to the unique quirks, pauses, errors and pace of other operators. The skill of recognizing operators through their style – or the “Fist of the Sender” – was used during World War II to identify operators on the other end of the line.

Operators would analyze other operators’ keystroke dynamics, which can even be used today to identify an individual based on the timing of how they enter data through a keyboard. This is one example of behavioral biometrics.

“Behavioral biometrics in digital channels refers to the ability to identify a user through the unique way in which a user interacts with a human-machine interface.”

Behavioral biometrics are a documented set of behaviors that indicate how we normally do something. How a user moves their mouse cursor, how hard they press on a touch screen, the angle with which they hold their mobile device, or any number of other data points that can be collected during user friction are all examples.

Much like the old telegraph operators, a machine learning algorithm can build up a profile of the user that is as identifiable and inherent to that user as the Fist of the Sender was during WWII. With every transaction, RBA leverages behavioral biometrics to compare friction to a known profile of that user.

Establishing device identity

Your driver’s license or passport can generally be trusted as fair proof of identity, mainly because it gets issued to you by your government. This is a specific and uniquely issued identifier that only one person should be able to use.

When speaking about a device, a trusted authority could issue the device with a unique identifier. Only this device would be able to present this identifier, which, in turn, increases the probability that the transaction is being performed by the expected user.

Another type of identity is a combination of common characteristics that, together, can be used to accurately describe you. Your hair color, eye color, height, weight, nose shape and residential address can be combined to create an identity profile for you. That’s not to say others don’t have the same hair color or live in the same house, but the specific cocktail of attributes makes you “you”.

Where behavioral analytics refer to what people normally do, this type of device identity refers to attributes that are normally associated with this person. Contextual information like their general location, browser type, IP address, and other available information can be used too and, in combination, provide a good idea of which device is being used.

The gist of RBA

The success of RBA is the collection and categorization of user data that is determined "normal" user behavior. The authentication process is then made more user-friendly by tying it to behavioral biometrics. The deviation from what is not "normal" user behavior will set off a flag for further investigation in this regard. These metrics work in conjunction with device identification to establish the identity of the user.

In essence, a transaction performed by someone who behaves in a way that is consistent with their usual actions will appear as “normal”. In these instances, passive authentication methods such as RBA can turn transactions seamless with a little help from smart risk-scoring technology and the collection of positive and negative behavioral signals from the user’s past engagements.

Implemented correctly, both institution and user can benefit enormously from RBA as it delivers the necessary protection against fraud while creating a desirable, uninterrupted user experience.

Read more: Orchestrate superior authentication journeys for enhanced customer experiences.