Get the latest news right in your inbox
The authentication of users so that they can access the platforms provided by businesses, organizations or institutions has changed a lot since the first steps of the digital era. The use of username and password has started to become outdated a few years ago with the rise of identity theft and the emergence of new verification techniques.
Thus, authentication has become a fundamental pillar in the security of any company in order to prove the identity of its users and offer them secure access methods to enjoy the products and services contracted, manage them or acquire new ones.
Steps prior to authentication
Before delving into the authentication process, let's take a brief look at the steps prior to it: User onboarding and Know Your Customer. Registering customer information in the company's database must be done according to very specific technical and legal standards.
In many industries, it is not enough just to process information in accordance with privacy standards; comprehensive identity verification controls must be established to corroborate that the user is who he or she claims to be. This is the basis for any subsequent interaction to be carried out under an environment of guarantees, trust and with full legal backing.
During this registration, you proceed to create the credentials with which the user will later access your products and services or the customer area. This is where authentication comes into play:
What is authentication?
Authentication or authentication is an identity verification process by which an organization confirms that an accredited user is accessing data, information or materials that are the exclusive property or use of a specific person. Once the identity of the access requester (tester) has been confirmed, the verifier accepts the request and provides a management platform on which to operate with the resources assigned to him or her.
In this process the comparison plays a fundamental role, being the validator responsible for storing the credentials of all the users of the platform and comparing the information provided by the tester in the authentication with all the samples of the databases.
We can also refer to the same act of accreditation or authorization. In the jargon of technology, there are two types of authentication: identity authentication and data origin authentication: the first refers to the previous steps mentioned above - KYC and Onboarding - and the second type is what we know as authentication itself, confirming information that only one person can know.
However, it is much more secure to authenticate through what a person is, as information or data can be stolen or improperly shared.
Most important authentication methods
How does the authentication that businesses use to grant access to their customers, employees or suppliers work? Well, before we go into this topic in depth, let's look at the ways in which the authentication process can occur:
- Directly: It is directly between the tester and the company that owns the resources he/she wants to access.
- Indirectly: Includes a third party acting as an intermediary between the tester and the supplier of products and services. It can endorse the identity of both mutually or only that of the tester unilaterally.
The second authentication mechanism is usually led by trusted service providers - also called trusted third parties - specialized in identity verification processes with high levels of security and regulatory compliance.
There is one decisive term that stands out in authentication mechanisms: factors. While there are systems that are based on a single type of authentication factor, nowadays you should go for a security strategy that includes at least two (2FA). The most relevant of these are described below:
- Knowledge: a password or a PIN.
- Belonging or possession: an NFC card, a USB token, smartcards of different types, devices with cryptographic content...
- Characteristic or inherent: Face, voice, fingerprint...
- Location or behavioral: IP address, device, GPS, way of writing, cadence of speech...
Although the multi-factor strategy is more widespread in sensitive sectors such as banking, finance and insurance, more and more industries are beginning to use it to meet today's challenges.
Among the factors mentioned above, facial biometrics is the one preferred by most users, followed by passwords and OTP codes (One Time Password by SMS or email). The selection of the factors to be requested for access must be made according to the type of user, the industry to which the business belongs and taking into account the operation to be carried out.
Authentication, authorization, accreditation, verification, identification ... Differences and similarities
As we have already mentioned, authentication is a step after user registration. The terms should not be confused, although they are similar. While in KYC exhaustive controls are carried out for this first interaction and to corroborate that the data provided by the customer in the process are legitimate and truthful, in subsequent access it is only confirmed that the person who is requesting the use or management of resources is who they say they are - someone who has already validated their information.
However, many businesses choose to generate credentials that have not been verified by KYC systems. In other words, the information used by the user for subsequent access is a password that, yes, was chosen during the same process, but is not intrinsic to the user.
This entails a number of risks related to loss and forgetfulness as well as theft or attempts at deception. We know that the best digital onboarding platforms are able to reduce the risk to almost absolute zero, thus eliminating almost all problems and fraudulent attacks in the authentication process.
User authentication: How is it being done?
Today, 72% of businesses authenticate their customers by using user-password credentials and others, at most if required by regulation, additionally request OTP codes. This not only generates user friction but also entails serious risks such as those caused by sim swapping or phishing.
It is well known that, despite warnings from institutions and cybersecurity awareness campaigns, users end up using the same password for all their platforms or use easy-to-remember phrases or codes such as birth dates, pet names or any other information that can be obtained without excessive complexity by potential criminals.
As a business or organization, establishing security techniques is not only mandatory in certain markets and industries but will create more confidence in potential customers to purchase. One of the reasons given by users in surveys when abandoning a registration or login process is distrust.
It might seem that this insight is only applicable to those users less familiar with technology and with an age profile above 45 years old. However, this applies more to the new consumer profile below this age bracket since, knowledgeable about web platforms, they easily detect when they are operating under a system with few security controls.
Know Your Customer, Electronic Signature and Digital Onboarding
So what is the answer to all these challenges? In general, in business and user experience there is usually no single answer, but with respect to today's topic - authentication - there seems to be a broad consensus: generate credentials based on the KYC process.
This is something that companies in the BFSI (Banking, Finance, Insurance and Investment) area are already implementing. Create a unified identity verification strategy in onboarding along with the authentication system. KYC requires identity verification through facial biometrics and ID document validation. With this, a highly secure facial biometric pattern can be created to authenticate the user at a later stage.
This method gives greater legal validity to the authentication process, complying with standards such as PSD2 and its Enhanced Client Authentication standards. The question is quite illustrative: Why generate isolated credentials when you can use the same process to create an inherent authentication factor? In this way, we require less effort from the user during the registration process - something that maximizes conversion -, we provide greater security in any interaction the user will perform on your client platform, and we give greater legal backing to each access.
Secure Client Authentication (SCA) and other standards
The same is true when it comes to the contracting process. The electronic signature must be fully integrated with the user onboarding process, attaching AML and KYC documentation along with the contract. This is especially important in sensitive transactions such as insurance, real estate or any FinTech platform - for example trading platforms.
In multi-factor authentication strategies, we can now opt for facial biometrics accompanied by a PIN, something that is giving great results and that allows high-risk operations to be carried out thanks to the fact that one of the factors is based on a KYC process certified by a Trusted Third Party.
On the other hand, entrusting the authentication process to systems based on FIDO standards is an insurance for the future and a commitment to innovation and leadership today.