Alternatives to OTP Security and the Rise of Customer Experience

May. 30, 2019 | by BioCatch

Despite their known vulnerabilities, one-time passwords remain one of the most widely used forms of two-factor authentication. From SIM swaps to phishing, malware, and a whole host of man-in-the-middle attacks, weaknesses in OTP security are putting customers, and businesses, at great risk.

Earlier this year, a major UK bank was hit by an attack that exploited the weaknesses of OTPs. Fraudsters worked through a hole in telco network protocols to divert text messages from legitimate customers’ phones, bypass two-factor authentication, and access user accounts.

Besides the fraud, users find one time passwords extremely cumbersome, hindering banks’ efforts to craft exceptional user experiences on mobile and online channels. Yet, customer experience is the most important differentiator to attract new users and improve customer loyalty.

So why do companies continue to authenticate users through OTPs? Part of the reason is a lack of understanding of viable alternatives. However, new solutions create a trusted transactional framework that balances security requirements with the need for a completely passive and frictionless user experience.

The New World of Customer Experience in Banking and Payments

Early this year, Entersekt commissioned a study to find out exactly what their end-consumers wanted from their banking and payments experiences. The results, featured in the graphic below, were quite stark.

image1-3

Seventy-one percent of regular banking app users would use their bank app more if it were more innovative, and 59% would use a banking app more if it were easier to use. With stats like these on the mind, banks are now in a race to figure out how to innovate the banking experience and launch new functionality in order to create the ideal customer experience.

Figuring out how to do this without creating additional risk is one of the hardest elements of banking transformation. Innovation in security must grow alongside innovation in customer experience. Behavioral biometrics are opening that door.

Replacing OTP Security with a Frictionless Alternative

Building a trusted transactional framework involves three elements or pillars:

  • Identity – Knowing exactly who is behind a session
  • Integrity – Ensuring the session and the device have not been compromised
  • Communication – Protected 2-way messaging

For example, if the identity of a consumer is confirmed with confidence, but the transmission is compromised, the session itself cannot be trusted. Behavioral biometrics enable companies to achieve all three pillars with minimal friction. Here’s how.

Starting with the identity pillar, behavioral biometrics enable companies to accurately authenticate the user behind a session by focusing on how people interact online. The technology uses artificial intelligence to measure and analyze physical and cognitive patterns in human interactions between a device and an application, such as hand-eye coordination, pressure, hand tremors, navigation, scrolling and other finger movements, etc. Behavioral biometrics are also considered an inherence factor under PSD2 requirements. Because human behavior is invisible and passive, it cannot be copied or stolen, and can be used across the digital identity lifecycle to ensure that someone is who they claim to be.

Behavioral biometrics enables the integrity pillar by continuously authenticating users from login to logout. Because 100% of fraud occurs in authenticated sessions, a solution that ensures there is no account takeover after a user logs in is the only way to ensure that a transaction is conducted by an authorized user. In addition to matching user profiles, behavioral biometrics recognizes the presence of human fraudsters, bots, malware, and other sophisticated social engineering attacks in mobile and web applications.

Finally, behavioral biometrics enable the communication pillar by working directly with a company’s existing tech stack. At any point in a transaction, the system can produce a risk score to determine whether a session has been intercepted by a takeover or a RAT.

Unlike one time passwords, behavioral biometrics introduces exciting opportunities for banks and financial institutions to meet their customers needs, providing smooth in-app experiences that also keep them secure from the latest hacks.

To learn more about alternatives to one-time passwords and the next generation of authentication, watch our webinar “One-Time Passwords: What are the Alternatives?”

Topics: Authentication, Technology, Continuous Authentication