The user experience should be frictionless – modern technology gives us tools for that, and users' growing expectations also demand it (together with safety as the priority factor)--especially when it comes to online transactions. But some players decided to comply with PSD2 by introducing more friction. Fortunately, the PSD2 directive can be implemented in a more effective way, thanks to behavioural biometry.
Limiting friction to zero is one of the most important goals of all the players in the online payments’ world – next to ensuring the highest possible safety standards. At the very start of each cooperation with a new company, the very first question I get is “do the profiling tools impact the UX?”. It has huge importance for the business, as less friction translates directly into better conversion rates.
PSD2 introduced all EU countries to SCA (Strong Consumer Authentication). As one of its goals is to minimize online payment fraud, it requires two-stage transaction authorizations. As usual for securing any authorization it relates to 3 factors – knowing, having and being. First of them is Knowledge – something the users knows, like a password or PIN. The second one is Possession – something the users owns. For example, a security chip embedded into a device, hardware or software token, etc. The third element is Inherence – something the user is. It includes such positions as fingerprint scanning, voice recognition, hand and face geometry, retina and iris scanning, keystroke dynamics, mouse or touchpad movements and many more.
While SCA raises a new level of online security, some players implement it making the whole transactions process friction-full. Two-factor authentication means that one more element was added to the standard transaction process, which made it longer and more problematic for customers. More friction affects the user experience badly. Meeting obstacles while paying can make many customers resign from the transaction. As the effect, merchants can note lower conversion rates and dissatisfied customers will start looking for competitor companies, which won’t make any problems with payments and simultaneously, will offer the same security levels or even better. Those will be the companies that choose partners who are minding users identity authentication process, the one leveraging elements of passive behavioural biometrics.
Can SCA be frictionless and secure at the same time?
SCA can be implemented more effectively, thanks to passive behavioural biometry. It will make the transaction safer and frictionless at the same time.
Passive behavioural biometrics helps to analyse the massive set of individual, physical interactions between the user and his/her device. That includes, among others, keystroke dynamics – a piece of detailed timing information describing when each particular key was pressed and released as a user was typing, including such data as flight time (the period between releasing a key and pressing next one) or dwell time (duration of a key being pressed). Each one of us behaves differently – we all have our own paths that we follow. As a result, passive behavioural biometrics enables user authentication. Which means, that you are able to compare the history of how the user was behaving and assign a probability that this instance of behaviour pertains to the same person.
Moreover, these data are safe through being context-specific – they are useless in any other interaction. The whole identification process is the result of a highly trained AI model that is specific to the environment the user interacted with. So, the data itself does not point to a user and authentication is done through the pairing of data with the model. Fraudsters can't do anything with it without advanced tools. Which is quite different when comparing this to solutions of Knowledge and Possession elements of SCA, and even some solutions from Inherence element, such as standard behavioural biometrics like fingerprint and iris scan or face recognition (which all allow for user identification).
Soon we should see a much stronger development of this technology. Simply because it becomes more advanced, safe and easier to implement. This is the new quality of fraud prevention. Moreover, it does not cause friction in the transaction process when implemented in the right way. Which, again, is unlike to two other elements. It works in real-time at the background of the transaction, so it does not affect the authentication process, making it totally user-friendly. For example, there is no need for sending SMS (which also has a positive effect i.e. for companies in form of cost reduction connected to sending those messages and analysing in detail the legality of each transaction).
But remember – it’s all about layers
Passive behavioural biometry proves to be a safe and frictionless way of implementing SCA into your business. But it is worth remembering, that fighting fraud is an arms race. Fraudsters are continuously developing innovative tools for stealing at a big scale, and their attacks are becoming more sophisticated and harder to track (also due to the changing regulations that by definition raise the bar for them – pushing them into further professionalization). Today, passive behavioural biometry is the newest obstacle for them – a new, game-changing weapon on this battlefield. But it is another layer of support. Despite the fact that passwords, PINs, CVVs, device fingerprints and even standard biometry are nothing new today and at times become compromised by fraudsters, this does not mean they are useless. Quite the opposite! There are no silver bullets in fraud fighting – it is all about layers and stacking them up in ways that make it too hard for the fraudsters to get in. Passive behavioural biometry is a new layer, added to the previous ones. Therefore, combining these layers into one secure shield is the best path to success in light of SCA regulations – both in security and the UX area.
This article was published originally on Payments Journal