In an era where fraud attacks are increasingly sophisticated and worryingly common, financial institutions must continuously evolve their security measures to safeguard sensitive information and transactions.
Step-up authentication is one of the most effective solutions to increase security without compromising the user experience.
So how does it differ from multi-factor authentication (MFA) and risk-based authentication (RBA)?
High-risk actions for authorised users only
Step-up authentication is a method for certain high-risk activities, especially in banking, where additional authentication steps are required. The practice contrasts with MFA, where several authentication factors, such as a password and the entry of a code generated via an authentication app, are used to log in.
Step-up authentication is only triggered for certain actions that are classified as sensitive, such as transferring a large amount of money, accessing personal data, changing this data or accessing online banking again after access has been blocked. For example, a user entering the wrong access code or password for their bank account several times could indicate a heightened risk of fraud.
If the legitimate user wants to regain access, they will need to prove their identity. Traditionally, a one-time password (OTP) or PIN is sent by post to the account holder’s registered address, allowing them to reset their online banking access; however, this takes time. A more efficient option is digital biometric verification, using a fully automated solution that quickly and reliably compares the identity to the ID document.
The step-up authentication approach ensures that only authorised users can perform these high-risk actions, thus significantly reducing the risk of fraud.
Balance between security and user-friendliness
The primary aim of step-up authentication is to strike a balance between security and user-friendliness. By adapting the identity request to the risk level of the action, the process offers reliable protection without making the action unnecessarily difficult for the user.
This adaptability is crucial in the fight against fraud. It enables flexible security measures that do not disrupt the user when carrying out routine activities while increasing protection at these critical moments.
Financial institutions face a growing number of fraud incidents, from identity theft to account takeovers, with the latter increasing by 85% according to UK Finance’s 2024 Fraud Report. During account takeover fraud, a criminal seizes control of another person’s genuine card account.
And according to UK Finance, “although difficult to commit, [it] has become more attractive after the changes introduced as part of strong customer authentication (SCA), specifically OTPs change the criminal’s behaviour – the possibility of gaining access to a customer’s existing accounts, changing personal details, and reordering replacement cards is potentially more lucrative than social engineering one OTP from a victim directly”.
Step-up authentication plays an important role in reducing these types of fraud. It ensures that high-risk transactions and changes to account settings, such as adding a new beneficiary or resetting a password, are subject to strict verification processes. This protects both the financial institution and its customers and reduces the likelihood of unauthorised account access.
How to secure your business before new Cyber Security and Resilience Bill
Step-up authentication vs. MFA and RBA
To fully understand step-up authentication, it is important to differentiate it from other security methods such as MFA and RBA.
Multi-factor Authentication (MFA): With MFA, the user must enter two or even more authentication factors each time they log in, e.g. a password and a fingerprint scan. This increases security considerably but can be cumbersome for the user in a day-to-day setting, especially for frequent access to certain services.
Risk Based Authentication (RBA): RBA assesses the risk of each login attempt in real-time based on factors such as the user’s location, device and behavioural patterns. If the system detects unusual activity, such as a login attempt from a previously unknown device, additional authentication steps are triggered. However, RBA does not differentiate between the various activities within an account.
Step-up Authentication: Step-up authentication combines elements of MFA and RBA and enables access to different parts of a service with both single and multi-factor authentication. The key difference is the action-based approach: additional authentication is only required for high-risk actions. This ensures that routine activities remain user-friendly, while sensitive transactions are better protected. Common methods of step-up authentication include document verification (i.e. checking the validity of documents such as ID cards, passports or driving licences), selfie identity verification (i.e. the user goes through a fully automated selfie ID check) and biometric authentication (using fingerprints or facial recognition to verify the user’s identity).
Financial service providers and other high-risk institutions can use step-up authentication to protect critical touchpoints in the customer journey. This includes resetting passwords, changing beneficiaries and applying for new services. By integrating this authentication method, financial service providers can increase security, reduce the risk of data breaches and maintain customer trust.
Constantly updating and evolving various authentication methods is critical in today’s digital landscape. By implementing step-up authentication, financial institutions are able to better protect their customers and manage the ever-evolving threats of online fraud.