Skip to content
All Blogs

Why multi-factor authentication isn’t enough to combat fraud: Part 1

Author: Serpil Hall

multi-factor fraud prevention

Authentication is a critical component of fraud prevention. Once a user logs in with a password, the next step is to determine who they are – i.e., “authenticate” them. With fraudsters getting more inventive, ways of authenticating users have also evolved. A simple password is no longer enough – now we have one factor authentication, two factor authentication, three factor authentication, multi-factor authentication (MFA). It’s a constant cycle to beat hackers, workarounds, and scams as fraudsters adapt their methods of stealing authentication information.

Understanding the trouble with passwords and MFA

First, let’s understand what authentication is. It’s a means of verifying the identity of a user. Anything in the form of a password is authentication, it’s the basis of almost every authentication method around the globe. It doesn't matter what kind of authentication you use, if you've got a password in place to identify the user, it’s a problem. Why? Because thousands of passwords are hacked, copied, and stolen every single day. So, to combat this issue, organizations and financial institutions quickly expanded their authentication methods to two and three-factor – requiring special keys, verification questions, or one-time passwords to enhance the security of their login methods. The problem is that passwords, or any authentication techniques which don't involve behavioral biometrics, will fail. To truly defeat combat fraud, organizations must use a layered approach - one that doesn’t add more friction to the user experience.

Why isn’t MFA enough? First, it’s very difficult for a person to remember all their passwords, keys, verification questions, etc. What typically happens is users rely on other methods, like using the same password, or find a way to keep track of them (writing them all down, using a password app, etc.).

Second, it's a great target for fraudsters. All they need to do is target users via social media or other means to get their password/authentication information. Or they can steal it by putting a device or software on the user’s device. Once they get the information, everything’s available to them.

Look at the trends in fraud - we’ve got tons of authentication techniques, yet fraud continues to escalate. If you look at this list of 10 fraud predictions for 2023, produced by industry leaders, they all agree passwords are going away.

Any form of password Is a clumsy method of identifying a person. The fraud industry quickly evolved after realizing their technology wasn’t that sophisticated. Passwords are just X numbers and sometimes people do 1234, which is very easy to crack, so they added another layer - two-factor authentication (2FA). With two factor authentication an additional authentication step is added. Maybe we ask where you were born or your best friend’s name. The customer provides the answer, and they’re authenticated. However, at the same time as password authentication techniques evolved, so did the bad actors. Suddenly, this kind of information started getting into the hands of fraudsters via hacks and they had everything they needed (again) to commit fraud.

And they weren't just hacking everything and using the information overnight - they were super clever, hacking it, keeping it for a few years, then selling it based on value. For example, if it’s fresh data they might sell it for $1000. If it’s 5 years old, stale, no information, then maybe it’s sold for $100.

In essence they made a second stream of income by selling this information to others, as well as hacking into these people and committing the fraud directly to benefit themselves.

If you look at multi-factor authentication and any other factor authentications they’re subject to problems, and they create more problems - like when the person can't remember their inputs. Even if they remember their passwords and where they were born, once there’s yet another layer added customers get frustrated by the additional information to remember and keep track of. It adds unnecessary friction in the customer journey.

It’s not easy to get rid of passwords because we’re talking about large, complex organizations like big banks and massive companies like Amazon. You need a form of authentication, and you can't get rid of passwords overnight. But it’s coming – likely in the next five years. Many large organizations are already starting to transition away from passwords and simple one-factor authentication methods to behavioral biometrics, facial recognition, and biometric indicators instead. This multi-layered approach is the most effective way to actively detect and prevent fraud, while reducing friction in the customer journey.

 

Stay tuned for part 2: How behavioral biometrics fill the gaps in your fraud prevention strategy.

Subscribe to our blog for regular updates!