The multi-factor authentication market is experiencing new dynamics. For the last 15 years, strong authentication was not a top of mind concern for organizations and was mainly based on hardware tokens generating one-time passwords (OTPs), a temporary 6
or 8 digit password. The user was required to first generate an OTP on his token and then copy/paste it into his online portal. It has been pretty much about two-factor authentication “something you know” and “something you have.” Later on, in 2013, Apple
released its first integrated mobile biometry solution: TouchID, adding a new factor to the authentication process related to the “something you are.” As a result, the market started migrating toward multi-factor authentication (MFA) with an increased focus
on user convenience by leveraging the mobile platform.
Today, we see a new market shift toward a new type of authentication driven by data intelligence. Multiple trends are pushing this forward:
Cyber-attacks are growing in number and in complexity
Moving to mobile has increased the attack surface. Mobile devices are less protected while being always connected. Also, the end-users are changing their habits and like to be mobile, extensively using Wi-Fi
networks which are often proved to be unsecure. Hackers are using advanced tools, such as artificial intelligence and machine learning, and are also attacking at different levels to get around the protection deployed by organizations. Therefore, making
sure the user is the one he pretends to be (authenticating the user) is critical while making sure the user’s environment is safe.
Multi-factor authentication on its own is not sufficient anymore
There is no value of strong authentication on a device that is compromised or a communication channel used between the authentication device and the server, which is spied due to improper protection. So, in order to ensure genuine multi-factor authentication,
organizations are expected to protect the full environment.
Some of the recent regulations requiring multi-factor authentication are now are adding new elements for transaction monitoring mechanisms such as threat and fraud detection services. For example, the Payment Service Directive 2 (PSD2) in Europe is asking
for Strong Customer Authentication but also for transaction monitoring mechanism. In a similar way, the 3D Secure 2 protocol and the New-York state regulation for financial institutions (23 NYCRR 500) are talking about Risk-Based Authentication.
Traditional multi-factor authentication market is under a lot of pressure
New nimble companies are proposing authentication services easy to setup and easy to use for any organization willing to increase the security level of their end-users. The FIDO Alliance, which is pushed historically by Google and Paypal, is defining a new,
simple-to-use authentication protocol. But also traditional IAM companies, providing adjacent functionalities (SSO, Identity Management, …), are now offering multi-factor authentication methods for almost no additional cost. Authentication in this context
has become a commodity on a market where providing benefit will require offering new premium services with enhanced security and intuitive user experience based on data analytics, machine learning and AI.
Mobile biometry is rapidly adopted by the end-users
It creates a perception that no more password is required and it is safe. But very few know that mobile biometry is about convenience, not about security. Indeed, it’s easier to smile at a phone or to put a finger on the sensor than typing a password or
even entering a PIN code. For user convenience, the threshold for validating the user on fingerprint mobile readers or face recognition mobile solutions is low, and it results in a negative impact on security. But the end-users love it. Consequently, it is
increasingly adopted as a factor in the context of multi-factor authentication, which requires organizations to increase the security in the background making sure this will not affect the overall level of security of their authentication process.
Last, but not least, users are getting used to consumer centric services that are easy to use and very intuitive. Therefore, they are less and less accepting to have cumbersome user experience for security.
Data intelligence advanced authentication
It is not only the user that needs to be authenticated and protected; it is also the user’s browser and device, the application he is using and also the transaction he is doing (transferring money, adding a beneficiary, asking for a new loan, etc.). This
is shaping the new paradigm of the authentication solution market. It results in building new data intelligence driven authentication market where multi-factor authentication is based on machine learning and artificial intelligence. The analysis of the user’s
environment via the monitoring of hundreds of parameters allows organizations to score the transaction risk level and choose the appropriate level of authentication. It offers superior security with an elevated user experience but also has a positive impact
on reducing operational costs and potential fraud. More importantly, it is future-proofed thanks to its dynamic system which leverages machine learning and can adapt to the continuously evolving fraud
External | what does this mean?