Most people have had to go through the slow, and sometimes frustrating, process of standing in an airport security line at least once in their life. While not convenient for frequent flyers, we understand that although it is time consuming, it is vital to ensure security for people's lives. However, this is not how customers want their online security experience to be.
Consumers use a PC or mobile device as a means of convenience, and most are hardly willing to deal with a difficult process. We want to transact without interruption. We expect security, but we do not want to have to take extra steps to confirm our identity every time we want to transfer money or make a purchase using our mobile device. I get it because I am a consumer too.
With all of the social media breaches that have occurred recently, it is obvious that passwords alone as a means of authentication are dead. The fact is we as consumers are lazy. We do not use enough unique usernames and passwords to keep our identities secure from hackers. This is why most service providers have to provide some level of security to be built in to their Web or mobile applications because WE are a risk to THEM.
This has never been more true than with the mobile channel with the drastic rate of growth coming from mobile devices in recent years. According to a study of traffic across RSA's Adaptive Authentication hosted customers, transactions coming from the mobile channel has grown 66% Y/Y since 2012 compared to just 15% in the Web channel. In 2015, the mobile channel accounted for over 40% of transaction volume.
And with that comes the threat of cybercrime. Fraud attempts originating from mobile devices increased 170% from 2013 to 2015. The conclusion: Cybercriminals are migrating to what they perceive to be less protected channels.
Any organization delivering services to their customers through a mobile app faces a huge challenge: how do I minimize the risk of fraud or chargebacks and keep my customers' accounts safe without discouraging end users?
Customer experience is critical when developing mobile apps. Customers are looking for convenience when conducting business through a mobile application. Interaction in the mobile channel should not leave consumers with the same feeling of dread that they get when the see long security lines at the airport. So how do you build security in around these expectations?
The practical solution is risk-based authentication which still allows users to maintain the username and password experience they have become accustomed to within the Web channel, but provides organizations the ability to conduct a real-time risk assessment for each and every transaction without interrupting the user. On average, less than five percent of users are asked to provide additional validation of who they are. Risk-based authentication also allows for organizations to select the step-up method they want to use for transaction verification.
Biometrics seems to be the direction a lot of companies are heading for step-up. This is true especially for banks. A recent RSA survey actually showed that over 90% of banks are currently or intend to explore the use of biometrics in their mobile apps sometime within the next six to twelve months. Some banks have even deployed risk-based authentication coupled with biometrics as a way to drive adoption of digital banking services. Other businesses such as retail and E-commerce are sure to follow this lead.
Consumer security is ultimately about reducing risk while preserving the user experience. The last thing that organizations want to do is drive business away. Have you ever abandoned your shopping cart or left a transaction incomplete because the site was not easy to use? With mobile applications, it is even more difficult to maintain that user experience as consumers are working from a device that fits in their hand. This is what makes the balance of user experience and security so delicate within the mobile channel - and the job for app developers so critical.
Author: Heidi Bleau
Category: RSA Fundamentals
Keywords: Authentication, Consumer Security, Cybercrime and Fraud, Mobile, Mobile Shopping, Online Shopping