Account takeovers can cost both businesses and customers money. How can companies verify user identities without causing CX painpoints?
According to Javelin Research’s annual report “Identity Fraud Study: The Virtual Battleground,” account takeovers grew 90% from 2020 to 2021, growing to an estimated $11.4 billion in losses (roughly a quarter of all identity fraud losses that year) .
An account takeover occurs when a hacker gains unauthorized access to a compromised account. The purpose is to gain access to the data associated with that account such as names, addresses, emails and even banking information.
From a business perspective, account takeovers are making authentication a bigger problem than ever. Authenticating or verifying the identity of users ensures products and refunds go to the right people. But creating too many verification frames for customers to jump through could mean losing them to the competition.
For example, customers do not want to re-authenticate their identities during interactions that are transferring from a bot to a human or from a bot to another bot. They want a simple, no-fuss experience.
Consider the four ideas below if you want to authenticate customers with relatively little friction.
1. In-Journey Authentication
Organizations looking to strategically balance security and customer experience should look at authentication, said Christopher Schnieper, senior director of fraud and identity at LexisNexis.
They should also understand the risks of the customer journey, he added, “which can range from checking account balances to making infrequent high-value purchases.”
Schneiper added that companies should put the authentication function where the consumer is on the journey.
“An example of this would be app-based authentication when the consumer is in the company’s app. Alternatively, the organization could use text-based authentication when the consumer is using a mobile web browser. This allows a business to tailor the interaction with the right level of friction for each consumer and risk of each transaction.”
According to Schneiper, businesses can use a returning customer’s digital footprint to determine the device used — mobile, laptop, desktop. You can also use details like IP address, device usage time, or email address associated with identity to reduce authentication issues when someone logs in.
Related article: Developing CX requires a connected customer journey
2. Call Risk Assessment
Phone companies collect large amounts of metadata from phone calls, including:
- Type of phone (smartphone, VOIP, landline)
- The phone numbers you call
- The phone numbers you call
- The duration of the calls
- Your location
That information, when combined with AI, can provide basic authentication, said Dan Raup, Verint senior director, strategic business development. Under this system, each interaction is flagged green, yellow, or red, with a green flag only requiring an additional authentication factor, such as the last four digits of an account. Yellow requires two additional factors, and red requires several more or is rejected.
Call Risk Assessment also uses STIR/SHAKEN authentication standards to provide a secure way of verifying caller ID. The Federal Communications Commission requires most phone providers to adhere to these standards to quell the onslaught of spam robocalls, particularly from overseas locations.
3. Voice Biometrics
What companies haven’t done well, according to Dan Spohrer, vice president of product strategy at Verint, is authentication expectations.
According to Spohrer, companies should adapt the authentication levels to the value of the transaction. For example, a $10 transaction might only require a simple verification, while a larger transaction would require multiple factors.
However, there are ways that organizations can obtain multiple forms of authentication with relatively little effort, such as: B. the language check. “There are two basic types of language verification,” Spohrer said. “Active voice verification requires you to say a specific phrase like ‘My voice is my password.’ With passive verification, you can just start speaking and then authenticate [or doesn’t] you in a few seconds.”
Active voice biometrics is a slightly more intrusive customer experience, Spohrer said, because it prompts the caller to repeat a specific phrase.
Both types of voice biometrics require the customer to enroll in the company’s voice authentication program. When they say their password into the phone for the first time or speak randomly, a voiceprint is created for future verification purposes.
Related article: How will conversational AI change the customer experience?
4. Behavioral Biometrics
“The balance between risk management and optimal customer experience is difficult to strike, and the risks are great,” said Raj Dasgupta, director of fraud strategy at BioCatch.
“Everyone has experienced declined transactions, strengthened authentication like SMS verification codes, phone notifications, and being put on hold to speak to an agent. While customers generally understand the purpose of this inconvenience, they can often be frustrated by individual circumstances.”
Behavioral biometrics uses machine learning algorithms to analyze users’ physical and cognitive behaviors across digital channels, Dasgupta said. The model examines real-time physical interactions such as keystrokes, mouse movements, swipes and taps, looking for behavioral anomalies and patterns associated with genuine and fraudulent activities.
“Continuous authentication using behavioral biometrics is like a superhighway to authentication,” added Dasgupta. “Enterprises can make smarter decisions about when to adopt step-up authentication, resulting in seamless customer experiences. Continuous behavior-based authentication means fewer false fraud alerts and the ability to reserve additional authentication only for really high-risk situations.”
While companies use various methods to uniquely authenticate users, everyone agrees: simple PINs or passwords no longer offer sufficient protection. And while most account holders don’t mind additional authentication, methods that seriously delay interactions can push them to competitors with simpler — yet secure — options.