What is Cryptographic Authentication and Why Are Leading Companies Moving Away from Risk-Based Authentication?

Post by:
Fitzwilliam Anderson
June 14, 2022
Post by:
No items found.
June 14, 2022
What is Cryptographic Authentication and Why Are Leading Companies Moving Away from Risk-Based Authentication?

As fraud continues to rise and customer expectations for frictionless experiences continue to increase, more and more companies are upgrading outdated risk-based identity authentication technology to more advanced methods such as cryptographic authentication. In this blog post, we’ll explain what cryptographic authentication is and how it is making customer experiences faster and easier while also mitigating more fraud. If you are already familiar with the basics of cryptographic authentication, feel free to skip ahead to the “What is Risk-Based Authentication and Why is Cryptographic Authentication Better?” section or the proof points section at the end of this post.

What is Cryptographic Authentication?

Cryptographic authentication (AKA key-based authentication) allows relying parties (financial institutions, companies, and governments) to trust that the data asserted by users during authentication and verification events is actually true by leveraging cryptography as the source of truth.

Cryptography refers to the science of writing or solving codes. Encryption, “the application of cryptography,” is “the process of converting plain text into a cipher, which can’t be figured out without a key.” Think of the phone number (more specifically, the unique serial number found on every SIM card) as the key used to unlock the encrypted data contained in Prove’s tokens

What is Risk-Based Authentication and Why is Cryptographic Authentication Better?

Risk-based authentication (RBA) utilizes machine learning techniques and data to assess the level of risk behind a particular transaction. In short, it uses data from past behavior to predict future behavior. Today, risk-based authentication is the predominant way companies determine whether or not an authentication event or transaction is legitimate or should be flagged. 

While RBA has grown more sophisticated by incorporating more advanced machine learning techniques to analyze new types of data (IP addresses, historical transaction velocities, and consumer spend profile), it suffers from a fatal flaw: regardless of how sophisticated the machine learning tools are, they are susceptible to inaccurate data sources which can lead to inaccurate predictions.

If Risk-Based Authentication (RBA) has grown more sophisticated, why is fraud increasing?

First, some context. As more transactions become digital, there will be both a greater volume of transactions and a larger pool of money in aggregate that is at risk of fraud. The shift toward digital transactions as the primary way of conducting business gives bad actors both more opportunities and greater incentives. After congress raced to make hundreds of billions of dollars’ worth of Pandemic Unemployment Assistance payments available, for example, fraudsters quickly followed suit and siphoned off an estimated $87 billion.

That being said, the limitations of risk-based authentication are also contributing significantly to the rising rates of fraud. The Achilles heel of RBA can best be summarized by an old computer science adage: garbage in, garbage out. 

Imagine you are pulling your credit score. In order to pull a credit score, you need to present personally identifiable information (PII) that, in theory, only you should know (your SSN, for example). Unfortunately, we live in a digital environment where PII is easy to access as a result of large and frequent data breaches. Once a fraudster has your data, they can pull your credit report and even add fake data to your various online credit profiles, creating a synthetic identity without your knowledge. RBAs will then analyze these synthetic identities (garbage in) and make inaccurate risk-based assessments (garbage out).

Why is Cryptographic Authentication Better?

Cryptographic authentication is needed to ensure that the data fed into machine-learning systems is tied to the consumer and not a bad actor.

Prove accomplishes this by ensuring that the identity of the consumer is cryptographically authenticated prior to trusting the information that is submitted. We do this using a variety of methods – for example, by requiring the consumer to prove possession of a known phone number. By running a possession check, Prove implicitly links the consumer’s SIM card’s authentication to the cellular network to ensure the company is talking to the right person. 

To use the credit score example again, Prove can easily stop the bad actor from pulling a victim's credit score even if the bad actor knows all the relevant information about the victim. This is achieved by forcing an authentication to a known cryptographic key (such as a phone number) into the transaction flow. This is the reason Prove has focused significantly on phones and phone numbers as a means of authentication. However, this overall approach is not limited to phones or phone numbers but rather the usage of a cryptographic key tied to a person.

Proof Points: How one leading card issuer used cryptographic authentication to achieve a 92% pass rate with only 3 bps of fraud.

When companies adopt Prove’s cryptographic authentication, pass rates for legitimate customers increase while fraud decreases significantly. 

The graphs that follow are based on the analysis of nearly 200,000 customer transactions from January to April 2021 and 1,000+ fraudulent transactions from June 2019 to June 2021.

When holding the acceptable fraud rate at 3 basis points (bps) or 3 fraud occurrences out of 10,000 transactions, Prove’s combination of cryptography and Machine Learning is expected to provide an 86% pass rate versus the 74% achieved by RBA alone. However, one financial services company was able to exceed expectations and achieved a 92% pass rate with 3bps of fraud when using Prove’s cryptographic authentication model.

The next graph shows the fraud capture rate versus the review rate as an alternative way of illustrating the power of adding machine learning to cryptography. It shows that within the 10% riskiest portion of the population, Prove’s model can capture 57% of the fraud versus the RBA’s 45%.

As illustrated by the graphs, cryptographic authentication provides companies with a smarter way to calculate risk and prevent fraud. 

Interested in learning more about how cryptographic authentication can help you reduce your company’s fraud rates while boosting pass rates? Contact us to speak with an expert.

Create secure frictionless customer experiences using modern identity solutions

Join over 1,000 businesses that rely on Prove across multiple industries, including banking, FinTech, healthcare, insurance, and e-commerce. Contact us today.

Keep Reading...Read our latest white-paper on this subject!

Tap the button below to read our latest white-paper on the subject as industry leaders.

Accelerate your onboarding

Contact us to learn how leading companies are using Prove Pre-Fill to modernize the account creation process by shaving off clicks and keystrokes that kill conversion.

Create frictionless customer experiences

Get in touch to find out how we can help you identify your customers at every stage of their journey and offer them seamless and secure experiences.

Schedule a demo

Let our expert team guide you through our identity verification and authentication solutions. Select a date and time that works for you.

Schedule a demo

Find out how we can help you deliver seamless and secure customer experiences that comply with PSD2/SCA. Select a date and time that works for you.

Interested in more information about Prove Pre-Fill?

Download Aite-Novarica Group’s full report about Prove Pre-Fill, including a product overview, customer results, and how the product works.

Interested in more information about MFA?

Download the guide now to learn how you can improve security, cut down on fraud, and create the best possible customer experience.