Combining high security and ease of use: a challenge for authentication in the digital world

Today, with the upsurge in cyber attacks, the security and protection of access to data and applications has become a central concern in the digital world.

For e-commerce as for all services and applications aimed at consumers, the main attack vector used by cyber criminals is that of identity theft, via the recovery or theft of identifiers, to which are added too weak authentication procedures.

To remedy this, multi-factor authentication, or MFA, has gradually established itself, supplementing the sacrosanct password with one or even two additional authentication factors. Alas, cyber criminals keep adopting new countermeasures to this strategy, by increasingly sophisticated their tactics of usurpation.

As a result, companies offering digital services are more than ever faced with a dilemma: how to offer their customers an ever higher level of security, and protect them against increasingly sophisticated fraud mechanisms, while avoiding the authentication process being too restrictive and encouraging consumers to change supplier.

Three main advantages

To respond to this dilemma, several technological innovations have emerged, which combine safety and fluidity for the consumer. These innovations provide authentication solutions with three main advantages.

They adapt and optimize all use cases, new and old, while respecting the principle of multi-factor authentication adopted by the most recent regulations: impose at least two of the three categories of the following three authentication factors: a knowledge factor, for example a password; a possession factor, for example a mobile terminal; and a factor inherent in the individual, for example a fingerprint.

The most common and practical case for the customer, assuming that the vast majority of consumers have a smartphone, they integrate natively via an API into an existing mobile application, thus avoiding the user to download an application. additional.

Having previously registered his smartphone as a trusted terminal, the consumer receives, following an access request, a push notification on his mobile application, which can ask him to authenticate himself via a fingerprint reading by example.

This process can be used not only to authenticate on the web but also to approve a transaction or confirm their identity when contacting customer service.

However, for consumers who have not downloaded the provider’s mobile app or do not have a smartphone, other authentication factors may be used, such as replying to an email message or receiving a code by SMS.

They automatically adapt to the level of risk. To optimize the user experience and reduce friction to the strict minimum during the authentication process, they only make visible a high level of security when necessary, for example when customers access certain applications or perform transactions. high risk or high value. Thanks to a permanent analysis of the context of the access request and the level of risk on the basis of different signals (IP address used, access history, etc.), they thus determine the level of authentication on a case-by-case basis. necessary. By requiring MFA only selectively, the service provider can eliminate all of the highest risks with minimal impact on the customer experience.

They simplify administration. Administrators can more easily set up and manage authentication flows. They can choose between either setting up policies on an admin console or using APIs for developers.

In both cases, they are able to create separate authentication rules per application and use risk management features.