Today’s consumer, empowered with technology and market dynamics, has high service level expectations that deliver customer satisfaction and drives loyalty. The customer engagement model has evolved from solely physical to a combination of physical and digital channels with consumers expecting an exceptional and consistent experience.
Delivering a ‘frictionless journey’ is now a reality. Consumers are accustomed to making low-value payments using a card or mobile device without the disruption caused by entering a complex passcode. However, there remains a significant opportunity to further improve the customer experience: authentication methods commonly include PINs, passwords or ‘memorable’ phrases which may be challenging to recall or enter. A token reader or key fob may be required to authenticate by physical token which further hinders an intuitive, user-friendly transaction.
The challenge for organizations seeking a competitive advantage in the marketplace is to offer a superior experience without compromising security.
The Frictionless Authentication project seeks to deliver innovative methods for improving the user authentication experience. Pioneered by the Emerging Technology Services (ETS) group in the UK, this project began in 2012 with an Extreme Blue project that ran in IBM Hursley. The Extreme Blue team worked closely with a bank, to address the following problem statement:
‘The challenge is to develop an approach to “frictionless” customer identification and verification – i.e. to remove or at least minimise inputs needed by the customer to enable their identity to be confirmed’.
From initial user testing, it became immediately apparent that the password burden on usability was too great. The bank reported a high volume of users who struggled to access core services due to the need to recall and enter a complex passcode. This burden had cost implications to the business and required support desk staff to assist users through the authentication process. Users who had entered an incorrect password too many times were forced to reset their password by re-registering the bank app. In short, the customer experience failed to meet expectations and compared poorly to competitor’s services.
The solution developed by the IBM team delivered an innovative approach to customer authentication. The solution is based on a layered approach to authenticating the customer. Rather than relying on the user’s ability to recall a PIN, this solution gathers information about the user from a variety of sources. This information is used to build a context which represents the user. Analysis of this context produces a ‘trust’ metric, which represents the confidence the business has in the identity of the user — in other words the level of confidence that the user is who they claim to be.
At the core of the solution is a context-aware evaluation process that determines the level of risk associated with a user’s session and the degree of authentication required to provide sufficient assurances about the user’s authenticity. The level of risk may vary throughout a user session and may depend on factors that are either internal or external to the app.
For example, imagine a scenario in which the customer chooses to check their account balance. The customer is at home, it’s early evening and their smartphone is connected to the home wireless network – a fairly low-risk scenario. Wouldn’t it be convenient if the banking app would authenticate the customer without prompting? In this scenario, three factors: location, time of day and network identity, may be used as contextual factors to drive the authentication process and, given the low risk nature of the interaction, may remove the need for customer interaction during authentication. Of course, in other scenarios, the system may select a different combination of authentication factors.
Frictionless authentication provides a solution for businesses to enhance the customer journey by reducing, or eliminating, the presence of friction during the authentication process. The business retains complete control of risk, by defining a profile that consists of several levels of risk, with each level dictating authentication requirements. In a banking scenario, low risk may represent access to limited account information, whilst high risk may represent monetary transfers. In a retail scenario, risk may be linked to the total value of a shopping basket. The business tailors an authentication policy that seeks to minimize the degree of user friction: for our clients this can lead to improvements across all customer ‘touch points’, resulting in a consistently exceptional experience. This is of particular importance where a high-quality customer experience is viewed as a competitive differentiator.
Since our work began, the financial industry has led the way in the UK with the adoption of frictionless authentication schemes. We are observing a shift towards the use of a diverse range of authentication methods, which in some cases removes the need for password entry altogether. Factors for authentication in commercial use today, or forming part of a trial, include:
- tokens, both hardware and software varieties;
- biometrics, both physical methods including ECG, voice, face and fingerprint recognition and behavioral methods;
Additionally, some banks have adopted a tiered approach to authentication allowing users to conduct low-risk actions, such as when viewing an account balance, without the need to enter a password.
Significantly, we have recently sold the Frictionless authentication solution to a UK retailer as part of a 5-year digital transformation programme that has seen 44% of all sales move online and half of which is now on mobile devices. The retailer is working with IBM to deliver a first-in-industry ‘Frictionless Commerce’ solution, which allows customers to complete the ‘browse-to-buy’ journey without a password, thereby increasing sales by avoiding abandonment. The solution enables customers to be authenticated in the most appropriate way based on their current circumstances. As an additional bonus, IBM had never transacted any security business with this retailer prior to 2015. Before the sale of the Frictionless authentication solution, security was viewed as a ‘cost to be managed’, rather than an opportunity to grow revenue.
The ETS team continue to pursue commercial opportunities around Frictionless authentication. Further details of our work can be found at https://w3-connections.ibm.com/communities/community/frictionless