Risk-Based Authentication

The purpose of a risk-based approach to authentication is to leverage a wide breadth of accurate data sources and quantitative techniques to further assess the probability of fraudulent behavior. The ever-changing nature of identity fraud warrants a risk-based and flexible approach to combating it. Assuming the finite pool of financial and human resources available to government agencies, a risk-based approach to managing identity fraud and citizen access allows institutions to focus on those identities and access points that pose the greatest threat to their application and citizen customers.

More institutions are implementing this type of holistic approach, rather than a rules-based program (one in which particular individual conditions are identified, detected and used in isolation or near isolation in decision-making). This risk-based approach assumes that no single rule or set of rules provides a comprehensive view of a client’s identity and associated fraud risk. Instead, an appropriately comprehensive set of customer data sources can provide the foundation for very effective fraud prediction models in combination with detailed customer authentication conditions.

The inherent value of risk-based authentication can be summarized as delivering a holistic assessment of a customer and/or transaction with the end goal of applying the best authentication and decision-making treatment at the right time. Benefits include:

Reduced fraud exposure — Use of analytics and a more comprehensive view of a client identity (the good and bad) combined with consistent decision-making over time will outperform simple binary rules and more subjective decision-making from a fraud-detection perspective.

Improved customer experience — By applying the right authentication and decision-making treatment, customers are subjected to processes that are proportional to the risk associated with their identity profile. This means that lower-risk customers are less likely to be put through a more arduous course of action, preserving a streamlined and often purely behind-the-scenes authentication process for the majority of customers and potential customers. 

Operational efficiencies — With the implementation of a well designed program, much of the decision-making can be done without human intervention and subjective human contemplation. Score-driven policies enable an institution to use automated authentication processes for the majority of its applicants or account management cases. This translates into the requirement of fewer human resources, which usually means lower cost. Conversely it can mean that human resources staff are more appropriately focused on the applications or transactions that warrant such manual attention and treatment.

Measurable performance — It’s critical to understand past and current performance of risk-based authentication policies to allow for their adjustment over time. These adjustments can be made based on evolving fraud risks, resource constraints, approval rate pressures or demands and compliance requirements. This is why ongoing performance monitoring using authentication tools is recommended.

Best Practices

Below are some best practices to consider in the implementation and ongoing assessment of a comprehensive risk-based authentication policy:

Analytics — An authentication score is probably a primary decision-making element in any risk-based authentication strategy, so choosing and validating a best-in-class scoring model is critical in establishing performance expectations. This initial analysis will allow for decision-making thresholds to be established, acceptance and referral volumes to be planned for operationally, and benchmarks to be established against which performance monitoring results can be compared.

Targeted decision-making strategies — Applying unique and tailored decision-making strategies (incorporating scores and other high-risk or positive authentication results) to various access channels and levels of assurance that are related simply makes sense. Each access channel (call center, Web, face-to-face, etc.) comes with unique risks — recall the OMB’s definition of risk as “the consequences of the authentication errors and misuse of credentials” — available data and varied opportunity to apply an authentication strategy that balances risk management, operational effectiveness, efficiency, cost and customer experience. Champion/Challenger strategies also may be a safe way to test newly devised strategies within a single channel or subsegment population without risk to an entire addressable population.

Performance monitoring — It’s critical that key metrics are established early in the risk-based authentication implementation process. Key metrics may include, but should not be limited to:

  • actual versus expected score distribution;
  • actual versus expected characteristic distributions;
  • actual versus expected out-of-wallet question performance;
  • volumes, exclusions, customer velocities and mean scores;
  • actual versus expected pass rates;
  • accept versus referral score distribution; and
  • trends in decision and result-code distributions.

Performance monitoring allows for managing referral volumes, decision threshold changes, strategy configuration changes, auto decision-making criteria and pricing.

Reporting — To apply the three best practices, accurate, timely and detailed reporting must be established around authentication tools and results. Regardless of frequency, institutions should work with internal resources and third-party service providers early in the implementation process to ensure that relevant reports are established and delivered. 

As e-government customer demand and opportunity increase, regulatory requirements and relevant guidelines will become more standardized and uniformly adopted.

Regardless of credentialing techniques and ongoing access management, all enrollment processes must continue to be accurate and, most importantly, predictive of fraud risk and compliant with regulatory checks. Such authentication tools must be able to evolve as new technologies and data assets become available, as compliance requirements and guidance become more defined, and as specific fraud threats align with various access channels and unique customer segments.

A risk-based fraud detection system lets institutions make customer relationship and transactional decisions based on a holistic view of a customer’s identity and predicted likelihood of associated fraud risk. To implement efficient and appropriate risk-based authentication procedures, institutions must combine comprehensive and broadly categorized data assets with targeted analytics and consistent decision-making policies to achieve a measurably effective balance between fraud detection and positive identity proofing results. The inherent value of a risk-based approach to authentication lies in the ability to strike such a balance — not only in a current environment, but also as that environment shifts in response to external factors.

Keir Breitenfeld is a senior director of product management and marketing for Experian’s Decision Analytics business unit. His responsibilities include stewardship of Experian’s comprehensive suite of consumer and commercial authentication and fraud management products and services.

Keir Breitenfeld  | 

Keir Breitenfeld is a senior director of product management and marketing for Experian’s Decision Analytics business unit. His responsibilities include stewardship of Experian’s comprehensive suite of consumer and commercial authentication and fraud management products and services.