Guest Post: From frictionless to the right amount of friction
07 August 2018 13:11 GMT

By Andrius Sutas, CEO and co-founder, AimBrain

There are definitely times where a lack of friction is a beautiful thing. Diving. Skiing. Cruising at 35,000 feet heading towards a tropical beach. Gliding through passport control en route to that beach. There are times, however, when we need friction in order to keep us, our data or our finances secure. So let’s stamp out the notion that authentication and security need to become ‘frictionless’, and take a look at the real goal.

It is clear that minimising the obstacles that stand between a customer and an action, from onboarding to authorisation, mean a faster, smoother experience for the customer and greater yields for the organisation. But lower the barriers too far to accommodate the user experience and your security is compromised.

What the conversation needs to switch to, in order to be both secure and truly customer-centric, is the notion of adaptive friction; applying the right level of friction based on a scenario, and having the means to step-up (and step-down) security layers.

What do we want? Friction!

As a customer, I know that friction is in place to ensure that my personal details (and finances) are protected, and that it needs to exist to keep me safe. Of course, if I’m making a routine transaction such as sending £10 to a familiar payee each month, additional security such as 2FA can be an unnecessary and unwanted intrusion.

So it’s during routine transaction scenarios like this, that passively tracking my behaviour by the way I type, swipe, key or generally interact with a device should be sufficient to put me in an ‘authenticated state’. But if I’m suddenly transferring my savings into a bank account in Ghana, or purchasing a first edition comic for £25,000 online, I want friction. In fact, I really want friction. I want to know that there are flags and checks in place to alert my bank of abnormal transactions, and that they can step up security by asking me to re-verify myself by requesting a voice or face authentication.

When do we want it? Sometimes! And just the appropriate amount!

Of course, that’s an extreme example. But the same goes for even the more mundane actions. I recently used an example of a true story that happened to me, whereby I went to Dublin for the weekend and on my return, took an Uber from the airport. The next day my card had been blocked and I had to spend half an hour on the phone to the bank answering a pop quiz about my recent gas bill and other random bits of personal trivia. Whilst it was good to know my bank had an eye on my affairs, the friction applied did not correlate with the situation. It did have one positive however; it forced me to look at my gas bill and get a smart meter fitted.

But back to my transaction. As much as I want friction where it’s protecting me, if I am bidding on a collector’s edition comic or I do decide to invest in property in Africa, I want to be able to do it. Asking me to prove my authenticity through a facial or voice biometric challenge (assuming that the technology behind the authentication is uncompromisingly stringent with anti-spoof capabilities and liveliness detection) is fast, convenient and secure from my perspective, and immutable evidence that - whatever my unusual shopping behaviours - it’s genuinely me, from the bank’s perspective. This is the appropriate level of friction. Locking down my account and relying on my having to hand various PINs, codes and passwords as well as the time and patience to explain myself, is not.

Multi-module biometrics support individual configuration

A bank’s risk engine builds multiple scenarios based on various security and trust parameters, and employing a multi-module biometrics authentication approach means that it can apply the right amount of friction to any situation.

Behavioural, or continuous, biometrics are now available to be deployed not just to mobiles, but via both mobile and web SDKs to enable behaviour to be captured from any device with a touchpad, screen, keypad, keyboard, entry system or even mouse. Using a server-side authentication model means that regardless of the channel, the individual user can be continually monitored and verified, in-session, to maintain a ‘trusted state’.

Anomaly detection can be used in tandem, to check for irregularities that could signify manual or large-scale simulated attacks, and even customised using an enterprise’s annotated fraud data for a more bespoke detection solution. If the trust level dips, simply invoke a step-up challenge; a facial or voice authentication request, or both. Similarly, step-down the security as the machine learning engine underpinning the biometric authentication suggests new trusted patterns or behaviours, to make the experience truly customer-centric.

BIDaaS + the appropriate level of friction = happy customers

Deploying these modules using a BIDaaS (Biometric Identity as-a-Service) platform not only allows for myriad configurations, but also delivers a consistent experience across any channel, for true consistency whichever way the customers interacts with the enterprise.

So let’s stop talking about frictionless, and switch the conversation to applying the appropriate amount of friction. Stepping up and stepping down, configured to suit the trust level and transaction. That’s what today’s consumers want; simply smarter authentication and an adaptive approach to protection.

AimBrain is a Biometric Identity as-a-Service platform with proprietary biometric authentication modules: AimBehaviour, AimVoice, AimFace and AimAnomaly Detection.