Illustration of a a person speaking to a face coming out of the computer represents 2FA

Why banks and payment processors need 2FA today

Two-factor authentication (2FA) stops 100% of automated bot account take over (ATO) attacks. So why don’t more banks and payment service providers (PSPs) implement or increase the use of 2FA?

2FA and customer friction

2FA is not without controversy, mainly because it can be a friction-filled customer experience. That’s because 2FA requires customers to go through extra steps to vet the device they are attempting to access their accounts with before they can log in. Also, it can be applied at points in the customer journey that seem arbitrary or out of context. However, 2FA can be silent e.g., behavioral biometrics or app-based logon from a strong device, so it is possible to have no friction for a trusted pattern or device.

Establishing trust is as essential as confirming suspicion

In How PSPs Can Get Ahead of Fraud in the Post COVID-19 World, I discussed specific actions for identifying fraud patterns. The flip side of that, and equally important, is that we need to identify patterns for authentic transactions.

Two-factor authentication introduces trust into the fraud prevention toolbox. So much of fraud prevention is built around suspicion, around figuring out who the bad guys are and what they’re doing. But it’s equally important to know who the good guys are and what authentic transactions look like to establish a baseline for trusted transactions. Focusing on a device’s type and location helps set the benchmark for good transactions in a post-COVID-19 world.

Why now is the time to implement 2FA

COVID-19 presents a real opportunity to establish digital trust with customers and embed some good pockets of behavior. I think there’s never been a better time to increase the usage of 2FA because COVID-19 creates a perfect storm to implement or increase the use of 2FA for several distinct reasons.

  • Stationary customers. With the world in various states of quarantine and lockdown, people are moving around a lot less.
  • Known devices. The opportunity and the inclination to buy a new device has decreased. For the most part, there should be strong device accessibility.
  • Channel consistency. Customers are going to be 95% digital, even though they were 50% digital two months ago. Although their shopping behavior may look odd in comparison to pre-Coronavirus times, it’s probably gotten narrower. Their actual digital footprint, in many ways, has become more consistent.
  • Friction acceptance. With all the scams that are taking place and all the news coverage these scams are getting, people want to feel safe. Today, customers see actions that they once thought of an inconvenience as a form of protection. They’ll likely appreciate the feeling that their bank is watching out for them.
  • Recovery phase growth enablement. If an organization sees a device ten times during lockdown and all within 6km of each other rather than + or – 100km, they’ll be able to trust that device as we move into recovery; they can assert trust faster. That’s how customer behavior today provides golden data for the future. As we move toward recovery and people start to transact differently, you can play the data forward. Using today’s data to look ahead can help reduce false positives — but only if you’ve established trust with the device.

What’s more, establishing 2FA now means banks and payment service providers will be prepared for the Strong Customer Authentication (SCA) requirement. The SCA deadline is December 31, 2020, and while the deadlined may once again be delayed, one thing is clear: SCA will be required. Use this time to prepare for the inevitable.

Key Learnings

While it’s crucial to uncover fraud patterns, it’s equally essential to understand authentic customer behavior. Because the world is in some stage of quarantine or lockdown, now is the time to increase the use of 2FA. Customers are aware that scammers are on the prowl, so they’re more forgiving of friction, especially if they are doing transactions or using channels/devices that are new for them. This is where risk-based 2FA can be applied. However, implementing 2FA at this specific time bypasses the normal amount of friction because customers are more likely to be transacting from the same location, and they have all their contact points easily accessible.

Subscribe to stay infomed