But here’s the thing about friction: it’s a force, and forces are not inherently bad. Gravity, for example, is highly inconvenient when you’re underneath a falling piano, but highly useful when it’s preventing the earth from breaking up into chunks and floating off into space. Similarly, the idea of ‘frictionless banking’ suggests that friction doesn’t have some very important functions.
The right kind of friction
If you’re making a regular payment to a registered supplier, you probably don’t want to deal with multiple authentication steps. You trust the person or organisation that you’re paying, and you don’t need to confirm it again every time you transact with them: a voice command, a selfie, or a fingerprint ought to be enough.
But what about new, more complicated behaviours? If you want to set up an international standing order, empty one account into another or spend your child’s inheritance on a Patek Phillipe wristwatch, you should be able to – but not without extra layers of confirmation.
Without the necessary friction provided by a step-up authentication process, the system can’t tell the difference between someone intending to use their money and a fraudster intending to steal it. It can be frustrating when it’s triggered by a taxi ride or a harmless, impulsive bet – nobody likes having to ring the bank to confirm that they are, in fact, themselves. That said, the aim should be to reduce annoying friction, not eliminate the good friction.
Acceptable and unacceptable risk
This can be done by applying step-up and step-down authentication in real time: analysing the fraud risk to maximise convenience where appropriate and security where necessary. Technology empowered with passive behavioural authentication can monitor behaviour in-session. Using deep learning and a context-driven model to analyse user information, it can build a bigger picture of typical and atypical actions. In doing so, it can develop an understanding of what is and what isn’t a security risk.
The system will ‘step up’ to an organisation’s existing security mechanism, which could be a password re-entry or voice or face authentication when a transaction seems suspicious or strange – and ‘step down’ when behaviours are normal or routine. If you’re clicking, moving, typing, or swiping in a way that doesn’t match your normal style, the technology will know about it.
Holding up a transaction is understandable when it’s high-value and high-risk; less so when it’s part of your day-to-day purchase process. With the right kind of authentication technology, you can apply the right amount of friction – but not so much that the user starts to chafe.