What is Cryptographic Authentication and Why Are Leading Companies Moving Away from Risk-Based Authentication?
As fraud continues to rise and customer expectations for frictionless experiences continue to increase, more and more companies are upgrading outdated risk-based identity authentication technology to more advanced methods such as cryptographic authentication. In this blog post, we’ll explain what cryptographic authentication is and how it is making customer experiences faster and easier while also mitigating more fraud. If you are already familiar with the basics of cryptographic authentication, feel free to skip ahead to the “What is Risk-Based Authentication and Why is Cryptographic Authentication Better?” section or the proof points section at the end of this post.
What is Cryptographic Authentication?
Cryptographic authentication (AKA key-based authentication) allows relying parties (financial institutions, companies, and governments) to trust that the data asserted by users during authentication and verification events is actually true by leveraging cryptography as the source of truth.
Cryptography refers to the science of writing or solving codes. Encryption, “the application of cryptography,” is “the process of converting plain text into a cipher, which can’t be figured out without a key.” Think of the phone number (more specifically, the unique serial number found on every SIM card) as the key used to unlock the encrypted data contained in Prove’s tokens.
What is Risk-Based Authentication and Why is Cryptographic Authentication Better?
Risk-based authentication (RBA) utilizes machine learning techniques and data to assess the level of risk behind a particular transaction. In short, it uses data from past behavior to predict future behavior. Today, risk-based authentication is the predominant way companies determine whether or not an authentication event or transaction is legitimate or should be flagged.
While RBA has grown more sophisticated by incorporating more advanced machine learning techniques to analyze new types of data (IP addresses, historical transaction velocities, and consumer spend profile), it suffers from a fatal flaw: regardless of how sophisticated the machine learning tools are, they are susceptible to inaccurate data sources which can lead to inaccurate predictions.
If Risk-Based Authentication (RBA) has grown more sophisticated, why is fraud increasing?
First, some context. As more transactions become digital, there will be both a greater volume of transactions and a larger pool of money in aggregate that is at risk of fraud. The shift toward digital transactions as the primary way of conducting business gives bad actors both more opportunities and greater incentives. After congress raced to make hundreds of billions of dollars’ worth of Pandemic Unemployment Assistance payments available, for example, fraudsters quickly followed suit and siphoned off an estimated $87 billion.
That being said, the limitations of risk-based authentication are also contributing significantly to the rising rates of fraud. The Achilles heel of RBA can best be summarized by an old computer science adage: garbage in, garbage out.
Imagine you are pulling your credit score. In order to pull a credit score, you need to present personally identifiable information (PII) that, in theory, only you should know (your SSN, for example). Unfortunately, we live in a digital environment where PII is easy to access as a result of large and frequent data breaches. Once a fraudster has your data, they can pull your credit report and even add fake data to your various online credit profiles, creating a synthetic identity without your knowledge. RBAs will then analyze these synthetic identities (garbage in) and make inaccurate risk-based assessments (garbage out).
Why is Cryptographic Authentication Better?
Cryptographic authentication is needed to ensure that the data fed into machine-learning systems is tied to the consumer and not a bad actor.
Prove accomplishes this by ensuring that the identity of the consumer is cryptographically authenticated prior to trusting the information that is submitted. We do this using a variety of methods – for example, by requiring the consumer to prove possession of a known phone number. By running a possession check, Prove implicitly links the consumer’s SIM card’s authentication to the cellular network to ensure the company is talking to the right person.
To use the credit score example again, Prove can easily stop the bad actor from pulling a victim's credit score even if the bad actor knows all the relevant information about the victim. This is achieved by forcing an authentication to a known cryptographic key (such as a phone number) into the transaction flow. This is the reason Prove has focused significantly on phones and phone numbers as a means of authentication. However, this overall approach is not limited to phones or phone numbers but rather the usage of a cryptographic key tied to a person.
What are the benefits of leveraging the mobile phone to conduct cryptographic authentication?
Phone-Centric Identity™, also known as Mobile Identity, Device Intelligence, or Phone Intelligence, refers to technology that leverages and analyzes mobile, telecom, and other signals for the purposes of identity verification, identity authentication, and fraud prevention. It’s key to conducting cryptographic authentication.
Phone-Centric Identity™ relies on billions of signals from authoritative sources pulled in real-time, making it a powerful proxy for digital identity and trust. If you think about how many people have mobile phones, how long they have had them, and how often they use them, it’s clear why Phone-Centric Identity signals are highly correlated with identity and trustworthiness.
The above chart from a McKinsey report entitled “Fighting Back Against Synthetic Identity Fraud” shows that profiles with higher depth (how far back the data goes) and consistency (how often the same data is seen) had a lower risk of being fraudulent. Phone-Centric Identity™ signals—which include phone line tenure; phone behavior such as calls, texts, logins, and ad views; phone line change events as ports, snap-backs, true disconnects, and phone number changes; phone number account takeovers such as SIM swaps; and velocity and behavior of change events—are both high-depth and high-consistency.
For example, Phone-Centric Identity™ signals for a given consumer typically go back many years (high-depth), given that most consumers now open phone accounts at a relatively young age. In fact, 50% of 11-year-olds now have a phone number (Source: The Common Sense Census: Media Use by Tweens and Teens). In terms of consistency, Phone-Centric Identity™ signals provide one of the best views into whether a consumer’s activity is inconsistent with their regular activity, signaling potentially suspicious behavior.
This stands in stark contrast to social security numbers or passwords, which can be easily purchased on the dark web by hackers and used to break into a consumer’s account. In order to break Phone-Centric Identity™-based verification and authentication, a fraudster would need to buy a phone in the victim’s name, pay for it for years, and use it to make calls and log into apps every day to mimic the victim’s behavior. While this is possible, it certainly isn’t scalable or worth most criminals’ time.
The Unique “Possession” Factor
Phone-Centric Identity™ also uniquely utilizes the mobile device as a “what you have” factor that companies can use to deterministically say whether they are interacting with their customer or not. This check, often referred to as a “possession” check, returns a binary result as opposed to a probabilistic score. By understanding whether a consumer is in physical possession of their mobile device or not, Phone-Centric Identity™ technology can return a yes or no answer about whether a company is interacting with their customer or someone else.
Enhanced Customer Experience and Privacy
Phones also have built-in, passive authentication, encryption, and privacy. By applying Phone-Centric Identity™ technology to web, app, mobile, chat, call center, and even in-person interactions, companies can give their customers a safer, easier, and faster experience. The consumer does not need to download a separate app or purchase a physical hardware token to authenticate themselves, and the process can often take place invisibly and seamlessly through their existing mobile device.
Opening new accounts, logging in, resetting passwords, moving money, or calling a contact center for support can all feel as effortless as sending a text or making a phone call. Contrast that feeling to the one your customers experience when they need to answer security questions or fumble with easy-to-forget passwords, and it’s easy to see why Phone-Centric Identity™/Mobile Identity is becoming the modern and preferred way to prove identity.
Growth and Influence of Phone-Centric Identity™
Phone-Centric Identity™ and Mobile Identity/Device Intelligence are rapidly becoming the technology of choice for companies looking to verify and authenticate their customers in a secure fashion that does not hinder the customer experience. One World Identity (OWI) highlighted this space as highly influential in its January webinar on the 2021 Digital Identity Landscape:
“We’re seeing that become more and more relevant,” said Cameron D’Ambrosi, Managing Director of OWI. “Being able to rely on that device as a proxy for a human—especially a mobile device—because how many of us are attached at the hip to our smartphones all day every day? Both in terms of the velocity of those data attributes that we’re feeding into the digital identity ecosystem—making those extremely valuable—and the fact that when you lose your device or it’s stolen or taken over maliciously, you are probably going to recognize that very, very quickly as a consumer. And that makes this tremendously useful especially for these fraud and risk use cases.”
Later in the webinar, OWI specifically highlights Prove as a leader in the Mobile Identity and Device Intelligence space. Watch the whole webinar here.
How Phone-Centric Identity™ Works: 3 Checks Companies Should Be Using to Fortify Their Identity Verification & Authentication
While the signals that Phone-Centric Identity™ analyzes are complex, the concept is quite simple and boils down to three factors: Possession, Reputation, and Ownership:
- Possession answers the question: Is this customer in possession of the phone? Knowing that someone is in possession of a phone at the precise moment of a potential transaction helps identify someone regardless of the transaction channel and helps ensure the customer is indeed on the other end of an interaction.
- Reputation answers the question: Are there risky changes or suspicious behaviors associated with the phone number? Typically, people have had the same phone number for a long time and upgrade phones only every few years. Compare that to a burner phone, or a phone that underwent a SIM swap, or a phone number that was just registered. These activities lower the reputation of the phone itself, which allows companies to flag the phone regardless of the customer activity.
Ownership answers the question: Is the customer associated with the phone number? It is crucial to associate a phone number with a person when confirming that the customer is in possession of the phone. Otherwise, the wrong person may be verified. This means knowing when a customer truly gets a new phone number or knowing that phone number is still associated with a person even if they switch carriers.
Proof Points: How Prove’s cryptographic authentication model enabled a leading card issuer to significant uplift in revenue, reduced fraud, and a streamlined experience.
When companies adopt Prove’s cryptographic authentication, pass rates for legitimate customers increase while fraud decreases significantly.
The graphs that follow are based on the analysis of nearly 200,000 customer transactions from January to April 2021 and 1,000+ fraudulent transactions from June 2019 to June 2021.
When holding the acceptable fraud rate at 3.3 basis points (bps) or 3.3 fraud occurrences out of 10,000 transactions, Prove’s combination of cryptography and Machine Learning is expected to provide an 92% pass rate versus the 77% achieved by RBA alone. One financial services company that implemented Prove’s cryptographic authentication model commented:
"With the help of Prove's cryptographic authentication model, Synchrony has achieved a substantial increase in approved accounts, through higher completion and approval rates, with only a fraction of the fraud, when compared to our legacy approach. Importantly, Prove has contributed to a more streamlined customer experience, reduced fraud and provided a significant uplift in revenue."
- Mylene Pedone, SVP of Digital Credit & Authentication at Synchrony
The next graph shows the fraud capture rate versus the review rate as an alternative way of illustrating the power of adding machine learning to cryptography. It shows that within the 10% riskiest portion of the population, Prove’s model can capture 57% of the fraud versus the RBA’s 45%.
As illustrated by the graphs, cryptographic authentication provides companies with a smarter way to calculate risk and prevent fraud.
Interested in learning more about how cryptographic authentication can help you reduce your company’s fraud rates while boosting pass rates? Contact us to speak with an expert.
Keep reading
Developers know identity verification is an essential element of effective digital onboarding and the customer lifecycle. Choosing the right one can feel like navigating a maze of features and complexity.
In an age where our smartphones have become almost like extensions of ourselves, the identity assurance achieved through smartphone possession and data is a natural evolution.
Rodger Desai, CEO of Prove, a leading identity verification solution provider, offers a unique perspective on the rising fraud in the gig economy, advocating for robust digital identity verification as a key defense mechanism.