Just Say Know to Authentication That Ticks Off Customers

Have you been asked to chime into in your company’s version of “Who are you?” If not, you probably will soon, especially if you’re in a services industry.

More CIOs are facing the need to improve authentication technologies, used to log employees or customers into online systems. Authentication must maintain a difficult balance — strong enough to keep crooks out, but understandable enough for customers to complete successfully.

One approach, knowledge-based authentication, KBA, is winning over a growing number of customers, like Mellon Investor Services. (Stay tuned to the end of this post for tips on the pros and cons of KBA.)

The basic premise of KBA: To log in, users answer a series of multiple-choice questions, based on public records data about them — say relating to a real estate purchase — gathered by a third-party KBA provider. If the user answers the questions correctly, he can log into the system.

For Mellon Investor Services (a subsidiary of Mellon Financial, providing shareholder services and related securities products to small- to Fortune 500-sized firms,) the move to KBA started with a longtime problem, says CTO Marc Librizzi. The firm had a large user population of individual shareholders, and no common data to help authenticate them.

A bottom-line business need drove Mellon to find a new authentication method: Every time someone chooses the call center instead of the web site, it costs the company more money. Sound familiar? “Everyone in a business services environment is trying to drive more self-service transactions,” says Mellon Investor Services CMO Barton Hill.

First, Mellon Investor Services tried a system in 2006 where shareholders logging in for the first time were sent an investor ID via postal mail, then went online to request an access code, which was sent in a second piece of postal mail.

“This really was driven by a security initiative, to prevent fraud and give shareholders a lot of comfort,” Librizzi says. Corporate clients  also faced Sarbanes-Oxley pressures, notes Hill, and needed to prove that Mellon, like any number of firms they did business with, was exercising the proper controls with data. But the wait time for customer access codes didn’t go over well.

Volume to Mellon’s related call center went up. “We needed to allow real time access to our system,” Librizzi says.

So Mellon rolled out a KBA solution from provider Verid to its web site in March 2007. (Verid’s clients are led by financial services, including 8 of the top 10 firms, plus wireless providers and online retailers.) Today, Mellon shareholder clients get the investor ID by postal mail, then visit the Web site to answer three multiple-choice questions. If successful, the user can set up a PIN and use the system immediately if desired. (Users may still choose to wait and get an access code by mail if preferred.)

What kind of questions are we talking about? According to Verid COO Chris Rickborn,  the company uses data derived from public records, much of it from regulated public records that are available to companies doing ID verification. Questions might include the color of your car, previous addresses, age range of a family member, city or address for a family member, or date of purchase of a property, Rickborn says.

Among the aspects of KBA that Mellon likes, it doesn’t maintain the repository of personal data, as it would have to with hint-style systems, Librizzi says.  Also, the user log-in success rates are higher than with hint systems, Librizzi says.

“Our pass rate (for customers proceeding through the KBA authentication successfully) on the web is 58% and in the call center, 68%,” he says.

What’s the right percentage? As Hill notes, no one at Mellon knows what the “right” percentage of passes is, yet. You wouldn’t want 100% of people to pass, because that would include would-be fraudsters. And you don’t know how many fraudsters are trying to get into the system today. “We don’t know where that balance is,” Hill says. “We’re balancing ease of use with the need to protect data.”

Authentication technology, of course, doesn’t stand alone in the financial services industry. “Any authentication methodology can eventually be broken,” Librizzi says. “You have to also ensure some really solid back-end controls, where you’re monitoring for certain kinds of activity,” to spot potential fraud. That’s typical in Mellon’s industry, as is follow up mailings to end users to notify them of recent account activity. “The back end controls will always be there as a safety net,” he says.

It’s a little too early to judge Verid’s overall impact on Mellon’s call center rates: So far, so good, says Librizzi, but he’d like to see 8 months of statistics before he does any fine-tuning on the question-and-answer process.

Maybe like me, you’re wondering: Why not choose an option like RSA-style security tokens?

Tokens aren’t a regulatory requirement for Mellon, and dual-factor authentication “isn’t realistic with a base of 18 million shareholders,” Librizzi says. “Think of the maintenance. I don’t think we could make that work,” he says, noting the potential for lost or misbehaving tokens.

As for the next steps that Mellon would like to see vendors like Verid take, Librizzi would like to make KBA work with his company’s interactive voice system (where clients call in and follow a series of spoken prompts.)

“IVR traditionally has been one channel where you find little fraud activity,” Librizzi says, “but we do want to pursue it.” He sees that as a second-stage project, once Mellon has more data about how users like the initial KBA rollout. (KBA is harder to do with voice systems because the system has to accept the spoken answers and translate them from speech to text.)

Librizzi’s parting tips for other CIOs considering revamping authentication systems: “Don’t underestimate the impact on the behavior of the user. Don’t underestimate the change. Take into account the psychology,” he says, noting people’s growing reluctance to share personal information that will then be stored.

Bonus Tips: The Pros and Cons of KBA

If you’re comparing KBA to other authentication options, keep the following points in mind says Gartner VP and Research Director Avivah Litan:

Pro: KBA doesn’t require special hardware or client software.

Pro: KBA (based on external data sources) can be invoked at any time in a customer’s lifecycle with the enterprise.

Con: KBA involves a high failure rate even among legitimate users (who can’t answer the questions for legitimate reasons.)

Con: KBA questions and answers are subject to compromise by crooks via guessing or stealing.

“Crooks can and do steal credit reports frequently,” she says. “Other data is more scattered so requires more effort on the crooks part but it can obviously be stolen too. Thieves can also often simply guess ‘right’ especially with multiple choice questions.”

Question involving facts like color of your car or purchase date of your home are subject to those issues, she says. On the flip side, “difficult” questions may stump legitimate users, she notes.

There’s another possible downside of KBA, says Forrester Research VP Jonathan Penn: “Some customers may be a bit unnerved with the feeling that the bank ‘knows all this stuff about me.’ That isn’t quite true – since the bank doesn’t hold or have access to the information, Verid and other services do,” Penn says. “But customers don’t know the difference.”

One big value of KBA is that there is no enrollment process, since Verid pulls the public record data, Penn says. “Our research indicates that most of the problems and customer issues with some of the fixed Q&A-based authentication (like “hints”) is that customers must go through an enrollment and this confuses them at the time, bothers them because they went onsite to do some banking and got “hijacked” with a distracting enrollment process, or don’t remember the right answers later on,” he says. 

As for the big users of KBA in the future, besides banking and ecommerce, Litan predicts use by government benefit disbursement programs, employers (for credential issuance, for example), and financial services sectors with customer service/call center and online operations.

The next generation of KBA should appeal to CIOs more, Litan predicts, noting that she expects a new generation of KBA to offer higher success rates among legitimate users and answers that are less easily available to potential fraudsters. However, it may also involve privacy implications for consumers, she adds.

Among available KBA vendors, Verid is the current industry leader, Litan says. Some credit bureau companies and data brokers also would like to win more of this business. Another upstart, IDology competes with Verid but doesn’t have as much success yet, Forrester’s Penn notes.

For more background on the banking industry’s struggles with strong authentication choices, see “Success Factors,” from our sister publication, CSO.