Written by Maddie Vagadori, Solutions Consultant and Alyssa Huitema, Solutions Consultant
With constant news of data breaches exposing user credentials, traditional username and password authentication is not secure enough. The vast majority of users apply the same set of credentials across many sites, giving bad actors relatively easy ways to gain unauthorized access to their accounts, leaving users vulnerable.
» TIP: Check out haveibeenpwned.com to see the latest and largest breaches, and check if you’ve been compromised.
This threat underscores the importance of protecting digital identities — ensuring a user is indeed who they say they are prior to granting sensitive access. Multi-factor authentication (MFA) is the industry-standard for securing accounts and supplementing traditional username and password authentication, adding a second layer of defense. There are three main buckets of factors:
- Something you know (e.g. security questions)
- Something you have (e.g. a text message sent to your device)
- Something you are (e.g. biometric authenticators).
MFA drastically reduces the likelihood of account takeover, safeguards sensitive data and makes consumers feel like their online information is more secure. But MFA is not infallible, and not all factors are created equal, as there are varying degrees of man-in-the-middle resistance, susceptibility to social engineering, etc. Moreover, attackers are reaching new levels of sophistication that transcend what passwords and MFA can effectively handle.
Indiscriminate use of MFA can also cause customer frustration and abandonment. In an environment of shrinking attention spans and heightened consumer expectations, a friction-filled authentication flow can lead to significant churn.
MFA solutions have become more adaptive in nature, however, as many efforts have been made to bridge the gap between security and usability. A combination of rules are often used to inform when to prompt for MFA (e.g. prompt based on device, IP, or geolocation). The ultimate goal is to give users the experience they deserve; optimizing account-specific experiences for your good customers while thwarting bad actors.
3DS/PSD2 in EMEA
Customer authentication and MFA have not just become accepted practices in online eCommerce, they’ve also been codified into law in various regions and countries. In 2015, the EU introduced PSD2, a revised directive intended to regulate payment services and protect consumers throughout the EU and European Economic Area (EEA). The most important component of PSD2 is the requirement of Strong Customer Authentication (SCA), which means that a consumer must be authenticated using additional methods or parameters. One of those methods is called 3-D Secure (3DS), which was introduced as a secure authentication method for online transactions.
3DS allows an issuing bank to try and authenticate the buyer on the merchant checkout page. A successful processing of a 3DS transaction shifts liability from the merchant to the issuer. And while there have been some improvements made to 3DS (3DS2 v. 3DS1), it’s not exactly a “silver bullet.”
Some positives to 3DS are that it provides an added layer of security, shifts the liability off the merchant, raises a shopper’s confidence in their online security and allows merchants to maintain compliance under regulations like PSD2. But there are drawbacks; it can cause added friction in the consumer’s journey, which can lead to cart abandonment and false declines.
The bottom line is that merchants who take a blanket approach and deploy 3DS to everyone are losing up to 30% of transactions to failure or abandonments. But when 3DS, like all MFA, is applied intelligently, the positives far outweigh the negatives and merchants have the opportunity to reduce lost revenue by up to 80%.
Where are we? How can we improve?
Thanks to Forter’s vast network and close working relationships with our customers, Forter was able to leverage data and enumerate trends in security/identity incidents. In 2021, there was a 109% increase in fraudulent accounts created around the world, with up to 4% of attempts to create new accounts being fraudulent attempts. And in the U.S. alone there was a 90% increase in account takeover (ATO) attacks.
When it comes to log-in, up to 0.5-1.5% of all login attempts are suspected ATO, and an average of $16.9 billion was lost annually to ATO attacks. With regard to customer experience, 19% of consumers stated they would not shop at a retailer again if their personal information was hacked.
But there is a way forward: when merchants reduce or remove authentication friction, it leads to an increase in conversion rates by more than 35%. More importantly, it makes a consumer feel that their online security is taken seriously and only solidifies and strengthens a long-term relationship with your business.
The New Frontier
Forter optimizes more touch points than any other fraud prevention company and protects the entirety of the customer experience from signup and pre-purchase to post-purchase policy enforcement. Our solution is event-driven and can be leveraged as needed and only when it makes sense within the environment —making dynamic, real-time decisions on when to apply friction, and when not to, ultimately making targeted and strategic use of an existing CIAM solution.
About Forter
Forter is the Trust Platform for digital commerce. We make accurate, instant assessments of trustworthiness across every step of the buying journey. Our ability to isolate fraud and protect consumers is why Nordstrom, Sephora, Instacart, Adobe, Priceline, and other leaders across industries have trusted us to process more than $500 billion in transactions. Click here to learn more.
