Risk Based Authentication (RBA) in eCommerce

Risk based authentication (RBA) in eCommerce payment processes aims to prevent checkout friction and combat fraud.

Patrick Drexler

VP of DACH and Friendly Fraud

22 December 2021


4 min read

When eCommerce customers commit to a checkout payment process, both they and merchants wish to have peace of mind that everything can and will run as smoothly as possible. Prevent fraud. Ensure a smooth customer UX. These are a simple set of steps for a merchant to ensure all goes well - but what mechanisms work in the background to ensure a safe and frictionless transaction? A lot goes on, including the triggering of risk based authentication (RBA) principles, but undoubtedly this is where behavioral biometrics and machine learning (ML) models prove their weight in gold.

Risk based authentication - what is it and when is it triggered?

RBA can be interpreted as an extra set of prompts that work in the background of 3DS2 (3D Secure 2.0 for authenticating credit card payments). It acts like an exemption to prevent repetitive authentication measures per transaction, with such measures only triggered if RBA determines that a transaction poses a medium to high risk of fraud. In other words, if the current transaction shows irregular or suspicious activities and behaviours different to those in a user’s account payment history, additional verification will be necessary. For the transaction to proceed, multi-factor authentication is required. But this is where advanced fraud solutions can aid a smooth process, negating the need for invasive authentication as ML-backed fraud solutions incorporate digital fingerprinting and behavioral biometrics that can effectively perform 3-factor authentication in a non-invasive manner.

With so many rules and regulations in place (the EU’s PSD2, payment services directive 2.0) and payment security protocols being updated in 3DS2 to limit global fraud cases and protect customer details, it can be difficult for merchants to find the perfect solution to ensure their fraud management systems adhere to all requirements and live up to customer expectations for a quick and easy payment process. But we are at least heading in the right direction with a number of key initiatives.

The EU’s PSD2 TRA and 3DS2 RBA go hand-in-hand

Both 3DS2’s RBA and PSD2’s TRA (transaction risk analysis) offer very similar exemptions for transactions that are deemed low-risk. The aim is to prevent frequent customers from having to repeatedly go through invasive 2FA (two-factor authentication) procedures for low-value goods. To manually verify payments each time would cause unnecessary friction and potential loss of custom through checkout abandonment.

The principle of multi-factor authentication (or SCA, strong customer authentication) exemptions are offered only when the following criteria are met:

  • The value of the item being purchased is low (usually below $30).
  • A merchant has been flagged as a trusted beneficiary by the cardholder.
  • Shopping behaviors and spending amounts remain similar to previous transactions.
  • Has the payer’s hardware/software changed since the last transaction?
  • Is the user’s location high risk?

Biometric analysis is effective for multi-factor authentication

What happens then in the case of RBA (and the TRA) if irregular behaviors are detected? This is where multi-factor authentication will be required. But doesn’t this go against the principles of mitigating friction and the desire to deliver a frictionless experience? It is at this point that the power of advanced fraud solutions that deploy digital fingerprinting and behavioral biometrics all backed up by ML models help to ensure a frictionless payment process without cutting back on any security measures. Such solutions meet all the requirements to identify potential fraud risks and can act as a non-invasive form of adaptive authentication, unseen by the customer. All this without the need to answer time-consuming security questions and complete invasive authentication processes.

Specifically, multi-factor authentication is performed by such solutions automatically, verifying a user as a person, their device and behavior, all using digital fingerprinting and behavioral biometrics (meeting the requirements for verifying something the user knows, has and is). Verifying thousands of pieces of data in real time is far more effective than relying on rules-based fraud prevention that can be overcome by determined cybercriminals. The additional benefit to customers is that they will not have to complete 2FA (including any annoying CAPTCHAs).

We have written extensively about how to best ensure frictionless checkout experiences using the latest Fintech, all of which you can learn more about from our How to reduce SCA checkout friction in eCommerce White Paper and blog post.

If you are interested in how risk based authentication can improve your payment and transactions process, then implementing an advanced fraud solution with frictionless customer UX is the perfect answer. Let us show you how over a call.

Ready to detect fraud just like Azul?

Ready to detect fraud just like Azul?

Start measuring fraud attacks today and find out if there are bots attacking your site. Arrange a call to discuss a tailored solution or explore our platform for free.

Book a call