e-Zest members share technology ideas to foster digital transformation.

Frictionless authentication for improving customer journey in digital commerce

Written by Satish Chavan | Oct 25, 2017 11:30:00 AM


The ThreatMetrix® suggests that if an authentication method is made non-intrusive, then it can boost online revenues by 2 to 5 percent. This is a welcome thing for businesses across globe as hyper-competition has eaten up substantial profit pie for almost every industry. But the question is, will customers and merchants go for such authentication to favor customer experience? Probably, yes. The world is preparing itself for frictionless authentication.

  • Attempts are being made
We have seen few experiments of it in real-world already, though not fully functional at global scale yet. Remember Amazon Go where users are not required to checkout. Just carry the Amazon Go app while entering the store and walk out without checkout. You are not authenticated at the payment level. The experience is amazing, saves time for customers and reduces burden on sales staff to manually swipe in cards or punch in details.

  • How do you carry the same experience online?
Profiling of the customer is not that easy in online world. It’s no surprise that there is high probability of fraudulent transactions happening in online world as compared to physical world.

Money is a serious issue for regulators and they are imposing strict rules for authentication. Before transaction happens, governments and merchants wants to be sure that you are who you claim to be. The proven method for strict customer authentication is making two of these three things mandatory before transaction happens – (a) Knowledge – Password or PIN (b) Possession – card or token or authentication device (c) Inherence – fingerprint or voice recognition or iris scan. But having this in the way of checkout is going to make the processes longer, slower and less enjoying. In short, compliance is going to impact the convenience.

  • Transaction risk level and profile trust value
However, this doesn’t mean that there can’t be a thing like ‘frictionless authentication’. It would require a strong contextual risk assessment tool to function at high-trust levels. For transactions of low-risk nature, the authentication can be minimal to non-existent. A system can take cues from factors within the system (usage pattern, location etc.) to factors outside the system (device, wi-fi network etc.) to create risk profile for the transaction in real-time. For example, if user is checking his bank account from verified mobile number, from home wi-fi network at early morning then it can be treated low-risk transaction. Bank wouldn’t mind showing the user his or her account status because transaction is low-risk and made by high-trust profile.

Low-risk transactions from high-trust profiles can be authenticated without further action and high-risk transactions from low-trust profiles would need through evaluation of identity.

  • Risk rate parameters on merchant side
PISPs (Payment Initiation Service Providers) introduced by PSD2 have got some relaxations for authenticating payments based on the above-mentioned logic. European Banking Association (EBAs) have permitted payment service providers not to oblige to strong customer authentication process in certain transactions. Such transactions include contactless payment at PoS, low value transactions such as parking tickets, paying trusted beneficiary etc. However, if there is a fraud indication in any of the risk rate parameter checks then such transactions would also call for strong customer authentication or rejection of the transaction.

  • Behavioral biometric on user side
Behavioral biometric technology is going to help further in authenticating users in non-intrusive ways. Such technology helps to analyze how customers use their devices using more than 100 behavioral parameters such as angle, pressure, speed, size and patterns to continuously authenticate customers. Such technology would immediately flag non-human behavior, highlighting and curbing suspicious activity before fraud because automated brute force attacks, account takeover, and targeted attacks bear very strong ‘digital’ behavioral characteristics. Such systems when coupled with middleware solutions in mobile devices can create another protection level at user side.

To summarize, frictionless authentication is not a fancy term anymore. Efforts are being made from all sides to make customer journey more enjoyable and secure at the same time.