2018 appears to be the year the public has woken up to the importance of keeping their digital data secure. Scandals involving the sharing of personal information for targeted advertising and continued breaches have led consumers to question how they share their data. They still want to access digital services, but increasingly they want to do so in a trusted, fluid and personal way. And they want it to be seamless, or silent perhaps.
If you’re interested, the topic of consumer expectation is something we’ve explored before in the context of the Internet of Things. In this post, I’m joined by Elise Vernet, IoT Consumer Electronics Marketing Manager, and Gerald Maunier, Principal Security Solution Architect, as we discuss how the concept of silent authentication can be brought to life.
Why is there so much investment into new ways to authenticate users?
Elise: All consumers who interact with devices and services need to have their identity authenticated before they are given access or control. It is this fundamental requirement that ultimately drives us to improve the authentication experience. This is why we’ve seen a burst of new technologies built on passive behavioral authentication. Now is the time to ensure that they are trusted by users, easy to use and catered to the individual.
Silent authentication is based on those concepts and was originally designed to deliver convenient and robust risk-based security for online transactions in the banking sector. The puzzle we were trying to solve was reducing fraud whilst still being able to deliver a great customer experience.
What is silent authentication?
Elise: A range of technologies are involved. Silent authentication is a mechanism based on machine learning. It analyzes both consumer behavioral & environmental patterns such as the way you write on your smartphone or PC, the way you walk, and your geolocation. But it also uses signals surrounding you like Bluetooth devices and Wi-Fi networks.
This mechanism relies on a continuous monitoring of devices, networks and user behaviors and is done through the standard sensors present in today’s smartphones.
Recent improvements in machine-learning systems have enabled us to build a rich, multi-dimensional profile of each individual customer. This includes behavioral biometrics and other context-based signals to deliver risk-based authentication that analyzes and correlates—in real-time—those data and compare them to expected customer patterns. This allows us to securely authenticate each customer whilst creating a seamless experience where service access is not held up by repeated checks.
What are the key functional roles in such an ecosystem?
Gerald: While originally developed for banking, the concept has many applications in other sectors. In each domain there will be similar parties that will make use of silent authentication:
- The Service Provider — such as a company in the mobile, IoT or retail sector that needs to authenticate end-users before they can access the service
- The Risk-based Authenticator — this could be the same service provider that we described previously or a dedicated company that provides a risk scoring for user authentication, (based on their behavioral attributes and contextual data such as radio signals / geolocation). It may also be integrated by identity providers, not only in charge of confirming the user’s identity but determining that it is who the user says she is trying to access the service.
- The End-User / The consumer — people will own a device that can capture their behavioral attributes and contextual data. This can be a smartphone able to capture things like the way we walk, type, swipe, and where we go. But it could also be a wearable such as a smartwatch that can relay motion-based biometrics and other biometrics data such as our pulse or temperature.
How does the authentication system work?
Didier: From a user’s perspective, everything is fluid and transparent and seamless. All she/he has to do is to request the service. They don’t have to type in any password or make any action to access the service. The silent authentication would work in the background without requiring any action from the user.
Behind the scenes:
Looking at this diagram, you can see how the communication flows between the Service Provider’s Cloud on the left and the Risk-based Authenticator’s Cloud on the right.
The Service Provider relies on the Risk-based Authenticator to tell if the user is who she claims to be.
It does this by asking the Risk-based Authenticator to give a level of assurance and trust regarding the authentication of the user. The response could be akin to “This user matches John Smith’s profile, my level of confidence in this decision at 90%”. This score would be the result of analysis based on multiple behavioral attributes and contextual data. This result is in fact a risk assessment.
Gerald: It should also be noted that risk assessment based on transaction patterns can be conducted by the service provider. These would include a combination of data such as goods purchased vs purchasing history, payment means, time of transaction and geo-location, type of device used, and the number of transactions in the last few minutes.
Elise: In addition, silent authentication can work with other means of authentication such as passwords and biometrics. For instance, if the risk assessment is not convincing enough, users may be asked to authenticate themselves by other means than purely behavioral characteristics.
At the same time, silent authentication can also greatly enhance traditional authentication techniques, adding further layers of security.
In addition, by logging the behavior of genuine users over time, we are able to more accurately predict when something unusual is happening. And this could be vital to detect in real-time if someone was trying to impersonate a legitimate user.
How can it be used in the real world?
Elise: There are a number of ways we think silent authentication can be used to make the consumer everyday interactions better. It would be impossible to list them all, but some examples are:
- On-line shopping: for the whole customer journey from Order validation / Payment of a certain amount / Delivery
- Delivery by autonomous machines, such as drones, robots , autonomous cars
- Enterprise corporate access control in offices and for those working from home
- Personalization of retail services with personalized promotions
- Opening of the door of your car while approaching the car, or starting your car by just sitting in the driving seat
- Easing governmental administrative procedures: filing taxes with your government via your PC or mobile
- Controlling the devices in your smart home (alarms, accesses) – perfect for families that don’t want the kids to have access to certain devices
- Validating any transaction done through your banking mobile app or web app
- Accelerating boarding procedures in airports or train stations
What does the future hold for silent authentication?
Elise: Silent Authentication is a fascinating field to be in right now, and it’s great to be able to develop systems that help people access the services they want, in a better way.
To summarize, such systems have tremendous potential for:
- Fighting fraud while delivering a fluid and personal customer experience
- Deployment across many industries (Telcos OEMS, Banks, Retail, Automotive, Government, Smart home, Transportation, Enterprise corporate access)
- Adapting over time easily: whether that is folding in new risk scoring policies or adding contextual data as part of the risk scoring
- And finally, improving the whole customer journey
Didier: We should also consider how the computing power of Artificial Intelligence (AI) and machine learning is growing exponentially. It should also be noted that alongside this, the miniaturization of chips and processors could lead to a number of machines running silent authentication autonomously.
Also, compliance with regulations such as the revised Payment Service Directive (PSD2) imposes risk scoring for financial services in order to fight fraud. Indeed, with the new European legislation, this requires banks to adapt security measures to the level of risk involved, in addition to other authentication means.
Those types of regulations will further encourage the adoption of such technologies.
Elise: Finally, those technologies, will expend in a regulated market (General Data Protection Regulation / GDPR) allowing users to be in control of their personal data and this will be even more critical when they’ll have to share them across multiple service providers.
What do you think? Feel free to tell us what you think the most interesting use cases could be. Get in touch in the comments below or on Twitter @GemaltoMobile.