Strong Customer Authentication, or SCA, is a requirement for businesses operating under PSD2 in Europe made effective in 2019. But strong customer authentication is a good business strategy for banks and businesses everywhere.
Most have already recognized the importance of strong customer authentication in preventing fraud costs. Fraud puts customers at risk. Consequently, it costs your business both in dollars and reputation. So it’s worth taking preventative measures.
There is a fine line, though, between thoroughly authenticating your customers and lessening the friction of the process. Customers want to be sure their information is safe. However, they don’t want to spend a lot of extra time jumping through hoops to get access to their accounts and your services.
The key to properly authenticating customers is accurate customer data. The more accurate your customer data is, the more certain you can be that the customers you work with are who they say they are. In this way, you prevent fraud and account takeovers.
In this article, we’ll cover what it means to authenticate your customers, why it’s so important, and the best ways to implement an authentication strategy.
What is Strong Customer Authentication?
Strong customer authentication means that customers’ identities are verified before they can access their accounts or sensitive information. As a business owner, you want to be sure your customers or users are who they say they are to prevent compromising sensitive information.
There are three types of customer identity verification: knowledge, possession, and inherence.
For example, customers can verify information that they know such as a password or PIN. This is something that can be set up at the time of their account creation. It’s information that only the customer should know. Customers should be encouraged not to share this information with anyone in order to keep their account secure.
They can verify information that they have like their cell phone or credit card. Cell phones typically have the customers’ phone numbers directly tied to them, so for mobile applications, this verification is automatic. Another way to use a cell phone for verification is with a one-time passcode (more on this later).
Verifying card information can confirm someone’s identity. But since card information is so commonly compromised, it’s best to verify the three-digit code on the back of the card. This is the best way to make sure that the card is in the cardholder’s possession.
Finally, customers can verify their identity with a fingerprint or facial recognition. This information relates to who the customer is. Think of inherence like a natural quality, something that cannot be changed. Fingerprint and facial identification are used most often with payments.
Customers can unlock and access their cell phones, digital wallets, and payment apps by setting up these recognition features on their phones. Customers tend to favor this method of identification because it’s quick and convenient. Remember, you want to keep customer accounts secure while easing the friction associated with the process.
Why is Strong Customer Authentication Important?
Data breaches cause sensitive information to get into the wrong hands. You can probably recall hearing about major companies that have suffered data breaches in recent years. Your own data might even have been compromised in these breaches.
The information that can be compromised depends on the database that is breached. Customer email addresses, social security numbers, account numbers, and any other data stored can be compromised. Illegally accessed information is usually sold by cybercriminals or used to launch further attacks.
Data accessed illegally results in fraudulent activities. Online fraud costs businesses and individuals over $5 trillion every year. This is why it’s important for you to not only protect your own customer database but also to verify the identity of your customers. Their data could get into the wrong hands through the breach of another company’s database.
If someone’s email, password, or card information is compromised, fraudsters can impersonate him or her. And there’s no way for you to know which customer information might have been involved in which company’s data breach. So it’s important for you to have strong authentication procedures in place to protect your users from impersonators.
How to Implement Strong Customer Authentication
Common Causes of Data Breach
Verizon’s 2020 Data Breach Investigations Report identified the 6 most common ways data breaches occur. There are physical actions, like leaving a laptop, device, or paperwork unattended. And card skimmers where thieves insert a device into card readers and ATMs to steal card information.
There are instances of unauthorized use when employees have access to data and information they are not authorized to access. There’s malware like RAM scrapers that scan the memory of digital devices like point of sale systems (POS). And there are keyloggers that capture keystrokes to steal passwords.
Social engineering consists of phishing and pretexting. Phishing is when fraudsters pose as trusted companies and send emails that lead to fake login pages or request sensitive information. Pretexting is very similar. Pretexters contact victims by phone or email requesting financial details.
Human error is one of the most common causes of data breaches. Fortunately, it’s also one of the most preventable. For example, you want to make sure you have the correct email addresses and phone numbers for your customers to avoid disclosing important information to the wrong person.
You can use a batch append service to update your records and/or a phone verification tool that checks whether numbers are active or not. This can save you time and money by preventing you from contacting the wrong people.
You want to regularly update your database, too, as customer contact information changes frequently. By keeping your records up to date, you decrease the chance for an impersonator to access your customers’ information.
How to Encourage Strong Passwords
Criminal hacking is the most common cause of data breaches. Hackers steal or purchase login credentials from the dark web in order to get access to information. They use this information to then commit fraud, conduct phishing scams, or sell on the dark web themselves. Hackers can also get credentials by finding them unsecured, guessing weak credentials, or using a password-generation machine.
We all get annoyed by the different password requirements we must meet to set up our accounts (use a capital letter, a number, a special character, etc.). But these guidelines are in place to help users create strong passwords that are difficult to guess or even generate with combination testing.
If your website requires customers to choose a username and password, you might consider updating the password requirements. Specific requirements force users to create a password they don’t use all of the time or a password that would be difficult to hack.
And because we want to keep the authentication process seamless for customers, make sure you have a clear, user-friendly password retrieval or reset process.
Email vs. Phone Number for Authentication
Because it’s so easy for bots to create and automate fake email accounts, phone numbers are the way to go when it comes to authenticating customers. A bot-generated email address can be used to open accounts in someone else’s name, register social accounts for spamming, and to submit webforms or sign up for free trial services which leads to bad data entering your database.
Instead of relying on email, you can request, use, and screen phone numbers for authentication. First, you need to make sure customers enter their numbers accurately. Validation error messages can help customers check their entries before submitting. You’ll need the full phone number with country code formatted to match the national protocol to get the most accurate phone information.
By using a phone validation API, you can check the validity of phone numbers before they even enter your database. The API identifies the line type of the phone number (landline, mobile, or VoIP). So, it can filter out potentially fraudulent traffic based on the geographic origin.
Since most people rely heavily on their mobile devices, using a phone number as the primary way to prove account ownership is quicker than email. And since phone numbers are more difficult to fake, they are more accurate than verifying email addresses too.
But just to be sure your users are the owners of the phone numbers they register with, you can text a 4- to 6-digit code for a user to enter into your form. This is one of the best methods of authentication. But it’s at its strongest when used in conjunction with one of the other two types of identification.
What is 2FA?
Two-factor authentication (2FA), or multi-factor authentication (MFA), combines at least two of the three types of identification. With a one-time passcode (OTP) texted to the customer’s phone, the customer meets the “possession” category. The customer has to physically have the phone associated with the phone number for it to work.
So to meet 2FA, you’d also want to collect information from either the knowledge or inherence categories. For example, in addition to verifying the mobile device, you’d also want the customer to enter a correct password.
For customers without mobile devices, you want to see if you have the option to deliver the OTP via voice call to a landline. Customers can answer the call, write down the code, and enter it into your form to confirm their identities. To maintain security, each code can only be used “one time,” and it typically expires after a couple of minutes.
Verifying the possession of a phone is one of the strongest methods of customer authentication. As long as you have accurate customer information on file, customers can be identified by proving that they are the owners of the numbers you have registered for them in your database.
To prove they are who they say they are, they have to have access to that device to receive an OTP via SMS or voice call with a recorded code to a landline. Remember to try your best to accommodate customers of all kinds and to keep the authentication process secure yet simple for your customers.
It is tricky to make access to sensitive information difficult for hackers yet easy for legitimate users. However, the first and most important step is making sure you keep accurate, up-to-date records. You’ll use this data to verify that your users aren’t bots or hackers attempting a data breach or account takeover.
You can use a phone validation API to validate data at the point of entry and/or a phone verification tool to periodically check phone numbers to make sure they haven’t changed hands. A batch append service can check email, phone numbers, and addresses all at once giving you more options to use for customer authentication. Try it out today!