Entersekt adds passive, privacy-friendly Browser Authentication feature, reducing reliance on cookies

Today’s financial institutions (FIs) are walking a tightrope: balancing their customers’ growing expectations of frictionless digital experiences with their demands for privacy, while protecting them from rapidly growing fraud threats. Fortunately, advances in Browser Authentication now make it possible to deliver frictionless, passwordless authentication while remaining privacy focused.

“There is no doubt that managing the expectations of customers while providing the best security possible has become infinitely more complex over the last few years,” says Schalk Nolte, CEO of global authentication leader, Entersekt. “Security professionals are playing a never-ending game of fraud whack-a-mole, while trying to answer the growing customer experience requirements of keeping their journey as frictionless as possible. It’s time for a new paradigm of authentication.”

FIs that continue to utilize outdated authentication technology like passwords and one-time PIN codes (OTPs), are relying on customer verification approaches that are less secure and cumbersome for users. OTPs are highly vulnerable to interception by fraudsters. With the help of today’s AI technology, fraudsters can breach these basic security measures in a matter of seconds.

Knowledge-based authentication measures like passwords also deliver a non-optimum user experience as customers need to remember their password and fraudsters can easily crack passwords and gain access.

Multi-factor authentication (MFA), that includes the knowledge factor, can reduce the risk of fraud attacks, but is typically not the most secure or user-friendly technology available to FIs today.

Many Browser Authentication solutions are moving away from device fingerprinting and cookie technology due to associated security vulnerabilities and privacy concerns. These tools track users across domains — something the World Wide Web Consortium (W3C) is championing against to protect consumers’ personal data and privacy, — and Google is doing the same. In January 2020, Google announced that Chrome would phase out third-party cookie support as part of its Privacy Sandbox initiative, which aims to improve web privacy.

Concerns regarding device fingerprinting are similar. The technology can be used to gather users’ personal information and track them across the web, much like cookies. What's more, the W3C plans to disable device fingerprinting in the near future to better protect user privacy.

“Finding a method of Browser Authentication that is privacy preserving, offers the best protection available, and feels almost invisible to users was a challenge we were determined to overcome. We have been delivering Browser Authentication solutions for some time now, but our new offering is a leap forward in sophistication,” Nolte says.

Entersekt’s new Browser Authentication feature, Browser ID, reduces friction while enabling FIs to comply with Strong Customer Authentication (SCA) and Secure Payment Confirmation (SPC) standards. It also supports the W3C’s drive to strengthen user privacy.

With Browser ID, the user adds their device, and it becomes a trusted possession factor, reducing or removing friction in banking logins, high-risk transactions, and MFA within SCA or SPC.

To reduce digital banking friction, FIs can combine Browser ID (a silent signal) with active authentication methods, such as biometrics or a push notification. Alternatively, for frictionless MFA, FIs need to combine Browser ID’s silent signal with risk-based authentication (RBA), such as behavioral biometrics signals — which are also silent — for fully passive authentication that delivers a seamless user experience.

Fraudsters are developing more sophisticated attack vectors every day, further enhanced by AI tools. Consequently, FIs cannot slow down or become complacent about their fraud prevention approach. Innovative security measures, like Browser ID, enable strong security by combining the possession factor (Browser ID) and inherence factor to protect against evolving fraud threats without hampering the user journey.

“Whereas most vendors still focus on fingerprinting to identify devices, we’re going further to provide a privacy friendly signal that provides cryptographic proof of possession, giving FIs comfort that the client is using a known and trusted device. We also know that many FIs still use and depend on browser cookies for security. But Entersekt has created a privacy-friendly and tracking-free future that preserves Strong Customer Authentication while still allowing a frictionless user experience for customers that want it,” Nolte concludes.