Forrester Wave Report: ThreatMetrix and the Revolution in Risk-Based User Authentication
Posted July 19, 2017
Has account takeover (ATO) met its match in digital identity?
With ATO attacks on the rise, a revolution in risk-based authentication (RBA) is rapidly replacing outdated password-based systems with context-aware risk analysis.
At the forefront of this revolution is ThreatMetrix, which this week was named the category Leader in the Q3 2017 Forrester WaveTM: Risk-Based Authentication report.
According to Forrester, RBA plays a key role in identity and access management (IAM) and risk mitigation of ATO attacks that result in up to $7 billion in annual losses.
It’s also shaping up to be a pivotal component of strong customer authentication, which results in a streamlined user experience and lower operational costs when compared to systems that rely solely on static user credentials.
For organizations facing a global surge in ATO attacks, the stakes are higher than ever.
The Invisible Enemy
The problem is as simple as it is dangerous. In a world where criminals have easy access to billions of identity credentials lost through corporate data breaches, ATO has become child’s play.
Using stolen credentials harvested from the dark web, cybercriminals can infiltrate accounts undetected by traditional authentication systems. Once in, they’re free to drain funds or make fraudulent purchases with abandon.
Indeed, after some successes in the battle against ATO in recent years, the amount of money lost through such attacks spiked 61 percent in 2016. This year stands to be even worse, thanks to the increased use of bots and other automated technologies that can test and capitalize on stolen login credentials en masse.
Beyond the loss of financial assets, the damage done by ATO to corporate reputation and market competitiveness can be sobering.
In Forrester’s eyes, RBA can help change all that.
Context is Everything
According to Forrester, security and risk professionals see RBA as a way to address the biggest challenges associated with ATO, whether it comes from external thieves, employees, partners or customers.
Specifically, RBA enables organizations to:
Secure sites and mobile apps while reducing fraud
RBA pinpoints anomalous transactions that are out of context — for instance, a user’s login in London just 17 minutes after the same user’s login in Boston — based on established user locations, device profiles, known behaviors and more.
Forrester gave high marks to ThreatMetrix Digital Identity Intelligence and the Dynamic Decision Platform for the ability to establish the true identity of each user within the context of each transaction, historical data, location, and hundreds of other dynamic elements that are cross-referenced with crowdsourced global threat intelligence to generate a risk score for each user in real time.
This will soon even include a machine learning-based persistent identifier for each user.
At the device level, Forrester praised ThreatMetrix for the ability to provide “deep device fingerprint and reputation management capabilities” that can detect jailbreak and root cloaking on mobile devices that could indicate fraud.
Improve the user experience
With RBA, flexible policy management tools can be set to focus on suspicious activities, and assign low-risk scores to users who log in from their normal location and device during their normal activity period.
This way, low-risk users are given instant access, while step-ups such as two-factor authentication (2FA) can be reserved for situations when extra precaution is warranted.
ThreatMetrix earned kudos from Forrester for the breadth of its policy management capabilities, which include crypto-graphical push notifications similar to a two-way SMS challenge, but leveraging iOS and Android secure notification services with customized messages based on user preferences. Soon, this will even include integration with biometrics-based multi-factor solutions.
Also lauded were our plans to enhance decision modeling by simulating changes to policies based on past data and decisioning performance to increase effectiveness over time.
Streamline administrative, investigative and compliance
By providing extensible and customizable views of alerts and case management information to analysts and security teams, time spent on investigations can be dramatically reduced.
Here, Forrester took special notice of the ThreatMetrix Case Management solution, which provides fully integrated fraud mitigation capabilities throughout the entire investigation lifecycle—all from a single interface.
Part of our award-winning Dynamic Decision Platform, case management automates case creations based on highly flexible criteria. It also automatically monitors, updates and isolates transactions that require additional review, and provides teams with the tools they need to take appropriate action quickly.
Plus, the solution’s robust reporting and trending dashboards significantly simplify the process of creating audits for regulatory compliance and reports for organizational knowledge sharing.
The Age of Adaptive Defenses
Is RBA really enough to ensure ATO has met its match? The truth is, today’s threats are constantly evolving. But, so are we.
By analyzing 75 million daily transactions in real time across billions of devices and thousands of websites and apps worldwide, the ThreatMetrix digital identity solutions get smarter every moment of every day to help put an end to ATO and other threats.
For organizations seeking dynamic authentication security, the RBA revolution is too important to lose—no matter who leads the way.
To learn more about how ThreatMetrix earned the sole leadership position in the risk-based authentication market, download the Forester WaveTM: Risk-Based Authentication, Q3 2017 here.