Getting Started
Continuous Authentication is a new paradigm of authentication that is more secure and more convenient than current methods. After seven months of human-centered user experience research, our teamAroon, Grace, Nika, Scott, and Zohaib - Team Hamsterbard defines Continuous Authentication as a system that verifies who you are, whenever you need it, without you thinking about it. This system takes a wide variety of user data, from device data, to active and passive biometrics, to identity a cardholder at anytime required. For the user, the benefits are twofold: Security and Convenience. It identifies them without them thinking about (or fetching their card), and protects their identity and data more securely than traditional means.
Current online logins and credit card purchases only require a couple of factors. This approach, called multi-factor authenticationMulti-factor authentication is a method that requires multiple layers of security (password + 2FA code sent via SMS for example) Wikipedia, often is posited as "pick two of three." The three common types of factors are "something you have" (ID card or token), "something you know" (passphrase or security question), and "something you are" (fingerprint or other biometrics). An authentication system is more secure if it comprises of more layers (or factors) of security.
Continuous Authentication does not limit itself to a few binary factors, but rather can use 40 to 50 factors at a time to provide a "trust score"Instead of logged-in vs logged-out, the user gets a rating of how "authentic" they are at any given time. NuData of how authentic a cardholder is at any given time. In this model authentication becomes a gradient, not just binary. Depending on how high the trust score is (often depicted as a percentage), the user may be able to do a variety of activities. A cardholder with a moderately high score could possibly check their balance, but require a higher score to withdraw or make a payment.
While this may be an abstract concept, and certainly requires a different mental model than current authentication measures, aspects of this paradigm are already begining to creep their ways into the market. Over the seven months we have been exploring this topic, our team made and tested numerous prototypes about people's perceptions and interest in adopting this new paradigm. We have consolidated our findings here, in this set of UX Guidelines for Mastercard designers, technologists, product managers, and their partners, as they pave the way towards the future of authentication.
Thank you for your time and support. We hope you find these UX Guidelines useful!
Team Hamsterbard, CMU Masters of Human-Computer Interaction, August 2018
The Five W's of Continuous Authentication
Who
Continuous authentication is a large topic than involves many different stakeholders, but in a variety of ways. Authentication has many uses and touch points and shows itself in different ways to these parties.
What
We define Continuous Authentication as "a system that verifies who you are, whenever you need it, without you thinking about it." Behind this idea is a large technology piece pushing authentication beyond usernames, card numbers, and passwords. Instead of using two-factor authenticationTwo Factor Authentication, also known as 2FA, two step verification or TFA (as an acronym), is an extra layer of security that is known as "multi factor authentication" that requires not only a password and username but also something that only, and only, that user has on them., Continuous Authentication uses machine learningMachine learning is a subset of artificial intelligence in the field of computer science that often uses statistical techniques to give computers the ability to "learn" (i.e., progressively improve performance on a specific task) with data, without being explicitly programmed. and massive amounts of data, to notice patterns in card use in aggregate as well as behaviors unique to individuals.
From device and location information, to biometrics and behaviours, as well as trends across all users, Continuous Authentication uses on the order of 40 or 50 factors instead of merely one, two, or three. Instead of a binary (logged in, logged out) paradigm, authentication becomes a gradient, and individuals get a trust score instead of merely being logged in. This trust score is variable based on the cardholders behaviour and patterns at any given time, and can be polled by a merchant at checkout. Overall Continuous Authentication is a new, more robust alternative to the traditional username and password model, that can make the checkout experience faster as well as much more secure.
When
One of the key benefits of Continuous Authentication is the continuous aspect of it. This however seems to make it difficult to understand for many users because it is so different from a typical password authentication. Because the system is always monitoring a variety of data sources, it provides a "trust score" at any given time based on the combination of all those factors. For the end user, it means they can be authenticated in the moment, whenever they need it.
From a product standpoint, it is harder to say where the data aspects of Continuous Authentication happen. The data pathways and storage components are still open questions. The data itself is likely to be stored by Mastercard with merchants pulling a trust score and possibly other data from an API at time of purchase. However, a technical sequence of exact events will likely vary by the product and implementation.
Where
Continuous authentication works better today in digital shopping contexts, and will be adopted for customers online likely well before brick-and-mortar stores. Physical store points-of-sale will require a significant capital cost that only large corporate stores will be able to invest in at first: think Amazon Go. Since it leverages many digital data points that are currently used to detect fraud.
Why
Consumers - While consumers want to be safe, security is often something that takes a backseat to convenience. Continuous authentication has a two-fold benefit for cardholders, the potential for a quicker checkout, while also more layers of protection against identity theftThe fraudulent acquisition and use of a person's private identifying information, usually for financial gain. and fraud.
Merchants - Merchants stand to gain through reduced cart abandonments online, and overall smoother checkouts. The fraud side helps them as well through a possible liability shiftIn short, the liability shift means exactly what it says. It is the change in financial responsibility, to either a merchant, bank or credit card company, should a fraudulent transaction take place. back to the processor or issuer, and fraud reduction overall.
Card Issuers - Much like merchants, issuers stand the most to gain on the fraud side as well, most likely from an overall better ability to recognize fraud in the moment, especially in card-not-presentA card not present transaction is a payment card transaction made where the cardholder does not or cannot physically present the card for a merchant's visual examination at the time that an order is given and payment effected. situations, and also reduce false declinesValid transactions that are incorrectly rejected — are unintended consequences of e-commerce merchants' fraud prevention strategies. False declines, also called "false positives," will cost e-commerce companies $8.6 billion in 2016 across the board. Issuers could also use these technologies to gain insights on consumer behavioral trends as well.
Mastercard - Mastercard is in a unique position to implement Continuous Authentication across a range of products from more cardholder experience applications to more B2B and back-of-house fraud reduction efforts. Beyond these immediate opportunities, one type of successful implementation could provide a new form of business in identification-as-a-service. This set of design guidelines is specifically for Mastercard designers, product managers, and technologists, as well as their partners, in an effort to better inform the discussion around this new paradigm.