When the user tries to login attempt, the adaptive security layer generates a risk score based on configured IT policies for how likely the login/signing attempt is to be from a compromised source or not.
There are various factors such as accessing from the new device, compromised or rooted device, spam request, IP address, blocked ISP, Geolocation, remote access app exists in the device like any desk, team-viewer, user behavior, etc. If the risk score level is medium, then the adaptive security layer adds a multi-factor of authentication to complete the transaction. If the risk is high, then the adaptive security layer blocks the access.
Adaptive authentication for digital banking will categorize based on the below
Attributes
Various attributes of digital banking platforms i.e., Username, Password, MPIN, and OTP are used for the authentication of users. If the user attempt to use a valid credential, then allowed to access the services with single-factor authentication, if the user tries multiple attempts with the wrong credential, then the adaptive authentication layer will ask 2-Factor authentication after entering valid credentials. For 2FA, it could be OTP or security questions as additional security asks the user.
Device
Device profiling analyzes the device from which the user is accessing Bank’s website or mobile application. Adaptive authentication compares the profile of a device with previous devices used by the user in the past. The device profile is used to discover whether the current device is the same from which the user typically requests access or if the device has been connected to previously known fraud. Parameters analyzed include IP address, Geolocation, operating system version, browser type, and other device settings.
If the user tries to access digital banking services from new devices, then the adaptive security layer adds multi-factor authentications to complete the transaction to prevent access from an unknown device. Also, the device security layer detects rooted or compromised devices and prevents running the application on them.
Some use cases of device authentication i.e., suppose the user tries to login attempt from the new device then the adaptive security layer asks for device registration through SIM-based SMS sent to the Bank’s number that contains the device information in an encrypted format and the same request is sent by application through API to the server for registration if both match then allowed to register the new device for access digital banking services.
Location
Geolocation also needs to record for each transaction to prevent fraudulent attempts. If a request receives from an outside country, then it will add multi-factors of authentication to complete the transaction. For example, A person is in X location (we can know from GEO Location) and after 10 mins. makes a transfer of 100000 from Y location (far 1000 Km from X location), App. will pose security challenges rather than denying the transaction. The user will get conditional access to that transaction since it’s a large amt. if the user passes the security hurdle, the transaction will be done.
Network Resource
Network resource also plays the lead role in securely completing the transaction, Adaptive authentication will check the received request’s IP address, does the IP address fall within a certain range? If not, then the adaptive security layer adds a multi-factor of authentication to complete the transaction. Deployment resources i.e., Server hardware, WAF (Web Application firewall), ISP, etc… impact the adaptive security, WAF plays the lead role to prevent unauthorized access to the server by the configuration security policy. WAF identifies the malicious traffic and data flows and prevents to access the application server. It will also check the received requests from ISP, either blacklisted or not, or requests receive from a VPN connection. If a request receives from a blacklisted ISP or VPN connection, then block to access the server.
Adaptive Authentication criteria Evaluation
Risk-Based Authentication
Risk-based authentication helps to reduce the probability of compromising the system. It uses AI (artificial intelligence) to gain a holistic view of the context behind each request. When a user tries to login attempts on the digital platform, a risk-based authentication layer analyzes factors such as the requested device, its location, uses network, request behavior, request sensitivity, etc. Based on all these analysis factors, the system decides to allow or prevent to access the system.
AI/ML Based Authentication
User to authenticate on each transaction made/requested by Machine learning and fine-grained policy controls work together to deliver a frictionless user experience with fraud detection. Friction-less authentication facilitated by better fraud detection & mitigation through AI/ML & customized rule sets. AI/ML technique used to detection of malware requests, device Jailbreak/rooted detection. There are a set of customized rules to validate the request.
Behavior-based Authentication
A behavior pattern is a record of activity for the user. Adaptive Authentication compares the pattern for the activity with the usual behavior to assess risk, if the behavior is indicative of known fraudulent patterns, then it will prevent access. Behavioral Parameters examined include frequency, time of day, location, and type of activity. For example: When a transaction request is received on a non-working day or at an unusual time, it will add multi-factor of authentication to complete the transaction. (Require MFA). One more use case like, in case the user reaches max. failed login attempts and after the cooling period again try and got success to login and makes the transfer to an existing beneficiary on non-banking working days/working hours, It should get the avg. of the last 3/5 transactions to this beneficiary & If amt. exceeds the average then add multi-factor authentication as adaptive security.
As a top digital wallet development company, MobiFin is doing extremely well in building digital wallet platforms as per our customer needs. Our skilled developers are keeping themselves updated with the evolving market trends so that they can create an advanced digital wallet platform for our customer base. Our experienced and skilled workforce are experienced in crafting mobile wallets for telcos. Please feel free to contact us to get more information about Adaptive Authentication for Digital Banking Platforms.
