Engendering trust in an online world

Trust is defined as the ability to rely on the reliability or truth of something. When using something as inherently insecure as the internet, which was designed with openness and availability in mind, rather than security and privacy, this becomes a real issue. Back in 1993, before use of the internet was anywhere near as widespread as it is now, a popular cartoon published by The New Yorker drew attention to the perceived anonymity of the internet with the tagline “On the internet, nobody knows you’re a dog.”

Fast forward to today when globally almost half of the world population has internet access, rising to 88% in North America. Mobile devices equipped with internet connectivity have helped to drive penetration levels upwards. With so much of our daily lives conducted online, anonymity is no longer desirable and does nothing to engender trust.

When you meet someone in the real world, it takes time to get to know them and build a relationship before you feel that you can trust them. In the online world, it is necessary to know who someone is, especially when sensitive information is involved, such as when making financial transactions. For many years, the most common form of authenticating someone’s identity has been through use of a name and password credential combination.

But it is well known that this is not enough as passwords can be guessed, hacked or otherwise stolen. The use of such a credential combination is nowhere near sufficient to engender solid levels of trust. Stronger forms of authentication were introduced, often in the form of security tokens and one-time passwords. These can be in the form of hardware tokens that generate one-time codes or codes sent to a user by a text message or email that must be input in order for the user to be authenticated. But even these have their limitations, especially given the ease with which tokens or mobile devices to which codes are sent can be lost or stolen. Biometrics are touted as a reliable and secure alternative, especially given the fact that more smartphones are being shipped with fingerprint or other biometric sensors built in. But all these methods of authentication add to the burden on the user.

A method of proving a person is who they say they are that is growing in popularity is that of contextual authentication, which imposes a higher level of security, but which is also transparent to the user. Contextual authentication uses advanced analytics to infer a person’s authenticity based on observed behaviour, taking into account a range of factors.

Such factors can include information regarding time and location of an authentication request. For example, if a user generally accesses a service either from their home or office during regular work hours, a red flag would be raised if they attempted access from a different location or at an unusual time, such as midnight over the weekend. Similarly, if a user has recently accessed a service from one location and then an authentication request is received from a distant location shortly after, the event will be flagged as suspicious.

Contextual authentication takes into account a number of factors in order to build a risk profile, which can be used to determine whether or not to allow the user to continue unchallenged or to deny them access. However, there may well be a good reason why a user is attempting to perform a particular action. For example, a user may need to access certain corporate resources at an unusual time, such as late in the evening, in order to prepare for a meeting the next day. Rather than having a blanket deny access policy, the user can be required to supply additional proof of their identity in the form of stronger authentication or requiring them to correctly answer a challenge or security question based on information that is already known about them, perhaps something that they registered when they signed up to use a service.

The use of contextual authentication can help to better engender trust in a person’s identity. It improves security across a number of platforms, including mobile devices and cloud computing services. It is particularly useful in the fight against fraud, enabling decisions to be made in almost real time regarding a person’s authenticity so that fraudulent transactions can be stopped and losses prevented.

Whilst a person may value their anonymity in certain situations, the need to trust that someone is who they say they are means that that is not always possible. The use of advanced analytics when making authentication decisions will help to engender trust so that interactions will be better enabled, rather than merely blocking interactions because their trustworthiness cannot be adequately proven.