Designing for
Continuous Authentication
CMU MHCI capstone project sponsored by Mastercard
Year of 2018
CMU MHCI capstone project sponsored by Mastercard
Year of 2018
Continuous authentication is a large topic than involves many different stakeholders, but in a variety of ways. Authentication has many uses and touch points and shows itself in different ways to these parties.
We define Continuous Authentication as "a system that verifies who you are, whenever you need it, without you thinking about it." Behind this idea is a large technology piece pushing authentication beyond usernames, card numbers, and passwords. Instead of using two-factor authentication, Continuous Authentication uses machine learning and massive amounts of data, to notice patterns in card use in aggregate as well as behaviors unique to individuals.
From device and location information, to biometrics and behaviours, as well as trends across all users, Continuous Authentication uses on the order of 40 or 50 factors instead of merely one, two, or three. Instead of a binary (logged in, logged out) paradigm, authentication becomes a gradient, and individuals get a 'trust score' instead of merely being logged in. This 'trust score' is variable based on the cardholders behaviour and patterns at any given time, and can be polled by a merchant at checkout. Overall Continuous Authentication is a new, more robust alternative to the traditional username and password model, that can make the checkout experience faster as well as much more secure.
One of the key benefits of Continuous Authentication is the continuous aspect of it. This however seems to make it difficult to understand for many users because it is so different from a typical password authentication. Because the system is always monitoring a variety of data sources, it provides a "trust score" at any given time based on the combination of all those factors. For the end user, it means they can be authenticated in the moment, whenever they need it.
From a product standpoint, it is harder to say where the data aspects of Continuous Authentication happen. The data pathways and storage components are still open questions. The data itself is likely to be stored by Mastercard with merchants pulling a trust score and possibly other data from an API at time of purchase. However, a technical sequence of exact events will likely vary by the product and implementation.
Continuous authentication works better today in digital shopping contexts, and will be adopted for customers online likely well before brick-and-mortar stores. Physical store points-of-sale will require a significant capital cost that only large corporate stores will be able to invest in at first: think Amazon Go. Since it leverages many digital data points that are currently used to detect fraud.
While consumers want to be safe, security is often something that takes a backseat to convenience. Continuous authentication has a two-fold benefit for cardholders, the potential for a quicker checkout, while also more layers of protection against identity theft, and fraud.
Merchants stand to gain through reduced cart abandonments online, and overall smoother checkouts. The fraud side helps them as well through a possible liability shift. In short, the liability shift means exactly what it says. It is the change in financial responsibility, to either a merchant, bank or credit card company, should a fraudulent transaction take place. Liability will shift back to the processor or issuer, and fraud reduction overall will drop.
Much like merchants, issuers stand the most to gain on the fraud side as well, most likely from an overall better ability to recognize fraud in the moment, especially in card-not-present situations, and also reduce false declines across the board. Issuers could also use these technologies to gain insights on consumer behavioral trends as well.
Mastercard is in a unique position to implement Continuous Authentication across a range of products from more cardholder experience applications to more B2B and back-of-house fraud reduction efforts. Beyond these immediate opportunities, one type of successful implementation could provide a new form of business in identification-as-a-service. This set of design guidelines is specifically for Mastercard designers, product managers, and technologists, as well as their partners, in an effort to better inform the discussion around this new paradigm.