The MFA and Threat and Fraud Detection Markets are Merging

The multi-factor authentication market is experiencing new dynamics. For the last 15 years, strong authentication was not a top of mind concern for organizations and was mainly based on hardware tokens generating one-time passwords (OTPs), a temporary 6 or 8 digit password. The user was required to first generate an OTP on his token and then copy/paste it into his online portal. It has been pretty much about 2-factor authentication- “something you know” and “something you have.” Later on, in 2013, Apple released its first integrated mobile biometry solution: TouchID, adding a new factor to the authentication process related to the “something you are.” As a result, the market started migrating to multi-factor authentication (MFA) with an increased focus on user convenience by leveraging the mobile platform.

Today, we see a new market shift toward a new type of authentication driven by data intelligence. Multiple trends are pushing this forward:

Cyber-attacks are growing in number and in complexity. Moving to mobile has increased the attack surface. Mobile devices are less protected while being always connected. Also, the end-users are changing their habits and like to be mobile, extensively using Wifi networks that we regularly discover as unsecure (here or there). Hackers are using advanced tools, such as artificial intelligence and machine learning, and are also attacking at different levels to get around the protection deployed by organizations. Therefore, making sure the user is the one he pretends to be (authenticating the user) is critical while making sure the user’s environment is safe.

This means that multi-factor authentication on its own is not sufficient anymore, as there is no value of strong authentication on a device that is hacked or a communication channel used between the authentication device and the server, which is spied due to improper protection. So, in order to ensure genuine multi-factor authentication, organizations have to protect the full environment.

Some of the recent regulations asking for multi-factor authentication are now also asking for transaction monitoring mechanisms -- also called threat and fraud detection services. For example, the Payment Service Directive 2 (PSD2) in Europe is asking for Strong Customer Authentication but also for transaction monitoring mechanism. In a similar way, the 3D Secure 2 protocol and the New-York state regulation for financial institutions (23 NYCRR 500) are talking about Risk-Based Authentication.

Moreover, the traditional multi-factor authentication market is under a lot of pressure. New nimble companies are proposing authentication services easy to setup and easy to use for any organization willing to increase the security level of their end-users. The FIDO Alliance, which is pushed historically by Google and Paypal, is defining a new, simple-to-use authentication protocol. But also traditional IAM companies, providing adjacent functionalities (SSO, Identity Management, …), are now proposing multi-factor authentication options for almost no additional cost. Authentication in this context has become a commodity on a market where providing benefit will require offering new premium services with enhanced security and intuitive user experience based on data analytics, machine learning and AI.

As mentioned earlier, mobile biometry has been very rapidly adopted by the end-users, as it creates a perception that no more password is required and it is safe. But very few know that mobile biometry is about convenience, not about security. Indeed, it’s easier to smile at a phone or to put a finger on the sensor than typing a password or even entering a PIN code. For user convenience, the threshold for validating the user on fingerprint mobile readers or face recognition mobile solutions is low, and it results in a negative impact on security. But the end-users love it. Consequently, it is increasingly adopted as a factor in the context of multi-factor authentication, which requires organizations to increase the security in the background making sure this will not affect the overall level of security of their authentication process.

Last, but not least, users are getting used to consumer centric services that are easy to use and very intuitive. Therefore, they are less and less accepting to have cumbersome user experience for security. The traditional use of the OTP with copy/paste manipulation, even though it has proven its efficiency in term of security, is seen as difficult to use. End users are expecting better solutions with better user experience and no downsize on security.

All those reasons are making the multi-factor authentication solutions in need of additional layers of security. It is not only the user that needs to be authenticated and therefore protected; it is also the browser and the device of the user, the application he is using and also the transaction he is doing (transferring money, adding a beneficiary, asking for a new loan, etc.). This is shaping the new paradigm of the authentication solution market. It results in the merging of the multi-factor authentication market with the machine learning and artificial intelligence one, building the new data intelligence authentication market. The analysis of the user’s environment via the monitoring of hundreds of parameters allows scoring the risk of the transaction and then choosing the right level of authentication. It offers better security with an optimized user experience but also has a positive impact on reducing operational costs and potential fraud. Moreover, perhaps most importantly, it is future-proofed, as it’s a dynamic system that adapts to the evolving frauds; it is learning.

That is why HID Global’s IAM Solutions business always proposes the best security while always thinking about the user first, is embracing this machine learning and AI trend by launching the HID Risk Management Solution. HID Risk Management Solution Integrated with HID multi-factor authentication solution, allows customer to deploy risk-based advanced authentication for their end-users.