Step-Up Authentication : Improving Customer Experience with Frictionless Authentication
What is step-up authentication?
Step-up authentication strikes the balance between friction and security. Step-up authentication ensures that users can easily access some resources, for instance by using the credentials of their social media login. But when they want to access more sensitive resources, they will be prompted to provide more credentials before they are allowed access. So step-up authentication is adding extra layers of security to protect assets and resources.
Step-up authentication adapts the level of authentication to the sensitivity of the resources that a user wants to get access to. If you ask for too little proof of identity, you risk exposing valuable resources to unauthorized users. If you ask too much, you create frictions that may cause your consumers to stop visiting your website.
Authentication is a key building block of your Identity and Access Management (IAM) strategy and the cornerstone of your digital interactions with your customers or employees. As we all know, identity theft is a growing problem. According to research by Finanso, one in five Europeans has experienced identity theft in the last two years. If you are offering digital services or selling products through digital channels, you can’t just assume that a person is who they claim to be when they are accessing your resources. Cybercriminals get a hold of user credentials by sending phishing mails or simply buying them on the dark web. If you are a business, you don’t mind who is accessing your home page or marketing pages, but you definitely want more credentials once they request access to more sensitive resources or want to make purchases or other financial transactions.
Step-up authentication is all about finding the right balance: you may be tempted to build in as much security as possible and ask users for as many credentials as possible, using the most secure authentication method and asking for additional authentication as soon as users are logging in. In doing this, you are probably making access near impossible for users, killing the customer experience that users are expecting.
How does step-up authentication work?
The process of step-up authentication starts the moment a user requests access to a protected resource or wants to perform a high-risk transaction. The IAM system will first check whether the authentication method that the customer or employee used in the first place, for instance credentials such as a username and password combination, is sufficient for the action requested. If the system decides that the initial credentials are not adequate for the level of risk attached to the requested resource, it will ask the user for additional authentication through another authentication factor. Examples of this are a one-time password (OTP) or passcode that is sent to a registered smartphone or other mobile devices, or biometric identification through facial recognition or a fingerprint. A word of warning: OTPs are less secure than push notifications or biometrics. Another way of adding verification is by asking for answers to security questions that the user has previously set. Twofactor authentication and multifactor authentication add to the security. It goes without saying that MFA beats 2FA when it comes to security. Twofactor authentication adds just one extra factor to, for instance, a password. Only real MFA provides a high level of security. And the good news is that with Passwordless and Smartphoneless MFA, you can have that level of security WITHOUT adding friction to the customer journey. On the contrary.
When should you use step-up authentication?
Step-up authentication is not always needed, so you should not always require an extra authentication method from your customers. Here are some of the circumstances in which you may want a different level of authentication.
- High-risk transactions: in banking or e-commerce, step-up authentication may be useful for transactions above a certain amount, changes to account details or high-value purchases. Organizations themselves can decide on the risk level they apply when requiring extra verification. In many countries, strong customer authentication is mandated by law, following the PSD2 regulations.
- Changes to account settings: extra confirmation of the user’s identity can be helpful when users want to make changes to their account settings, for instance changing a new password or adding payment methods in an e-commerce context.
- Suspicious login attempts: if users want to access information with a new device, from an unusual location or from an IP address that is not consistent with the user’s regular behavior, adaptive authentication will be triggered.
- Access to sensitive resources or data: when users want to access financial information, medical records, or corporate intellectual property, verification of the user’s identity can be required, going further than easy credentials such as username and password.
By triggering step-up authentication in these use cases, organizations will lower the risk. Even when credentials have been stolen and cybercriminals got a hold of username and password combinations, step-up authentication or adaptive authentication will lower the risk level.
What is the difference between step-up authentication, adaptive authentication and multifactor authentication?
The term step-up authentication, adaptive authentication and multifactor authentication are often used together. Although they are closely related and can be used together, they are not the same. Step-up authentication and adaptive authentication are authentication systems. Two-factor or multifactor authentication supports adaptive authentication and step-up authentication by providing them with the factors for authentication.
How to implement step-up authentication
Step-up authentication can be enforced in different ways, using different authentication methods. Organizations can make their own choice of authentication method they put in their policies and combine additional authentications to secure access to sensitive information.
- Push notifications: a notification is sent to a user’s registered device. The user can then approve or deny the authentication attempt. This is one of the forms of passwordless authentication.
- Biometric authentication: during step-up authentication, biometrics can be used to verify the identity of a user, for instance by using fingerprints, facial recognition or voice recognition.
- Hardware tokens: physical devices can be used to generate a time-based or an event-based one-time password. Such a hardware token can come in the form of a smartcard, a key fob or a calculator.
Why is TrustBuilder a good choice to implement step-up authentication?
As an Identity and Access Management vendor that is renowned for combining customer experience with airtight security, TrustBuilder is your go-to partner for step-up authentication. Consider these reasons:
- Integrated multifactor authentication: TrustBuilder.io includes TrustBuilder.io Multifactor Authenticator. This product is available in different levels of sophistication and can be used on mobile devices, web-based clients, desktops and fat clients. TrustBuilder.io Multifactor Authenticator is also offered as an SDK, so organizations can completely integrate it into their own environment. This way, users continue to get the same visual experience throughout their digital customer journey.
- Wide range of authentication methods: TrustBuilder supports a broad array of authentication methods, which can be used for step-up authentication. Beside our own TrustBuilder.io Multifactor Authenticator, these include traditional methods such as username and password or tokens but also more advanced techniques like biometrics and behavioral characteristics. TrustBuilder will also connect to multiple Identity Providers that allow you to verify the user’s identity.
- Adaptive authentication: TrustBuilder’s adaptive authentication allows for step-up authentication based on risk assessment. When a user’s behavior is deemed low-risk, they can enjoy a seamless, uninterrupted experience. However, when suspicious or high-risk behavior is detected, additional authentication measures are triggered to verify the user’s identity.
- Easy integration: TrustBuilder.io is designed for easy integration with a wide variety of applications, systems and authentication methods. This makes it a versatile solution for organizations that have a diverse software ecosystem or need to implement step-up authentication across a range of different platforms.
- User experience: TrustBuilder.io is designed with a focus on user experience. It aims to make the authentication process as seamless as possible for end users, reducing friction and helping enhance overall user satisfaction.
