December 5, 2018
November 29, 2018
Balancing security with a frictionless online experience is now a key business imperative, particularly in a landscape of increased online transactions and evolving regulatory requirements. Consumers demand an experience that works seamlessly irrespective of the devices they use, their locations, and the channels they choose.
Businesses need a solution that is secure and persists across device resets and software updates, and works for both browser transactions and mobile app-based transactions.
Device binding allows users to transact on trusted devices without repetitive authentications. This can occur through reliable and consistent verification of the transacting device by registering the device and binding it with a user credential. This then helps validate the returning device on subsequent interactions. ThreatMetrix Device Binding incorporates:
Several regulations like the Revised Payment Services Directive (PSD2) mandate Strong Customer Authentication (SCA) based on the risk associated with transactions. However, businesses need to make sure that the increased level of security does not affect the consumer experience by introducing unnecessary friction.
The ThreatMetrix approach combines risk-based authentication with Strong Customer Authentication for optimized customer experience. ThreatMetrix can reliably and consistently verify the transacting device, including first registering the device and binding it with a user credential, then validate the returning device on subsequent interactions. Once this assurance is established, it becomes simple to positively identify trusted devices and eliminate friction. ThreatMetrix uses Public Key Cryptography to establish a cryptographically-backed strong device identifier.
This feature for mobile devices is facilitated using ‘Strong ID for Mobile’. The secure keys, used as a basis for device identification, are stored in the secure element of supported mobile devices, ensuring they are kept secret and tamper-resistant and preventing an attacker from impersonating a trusted device. However, a large population of consumers still use non-mobile devices, requiring businesses to also establish a similar level of assurance for web transactions. This is provided using ‘Strong ID for Web’, which leverages the WebCrypto API.
ThreatMetrix Carrier ID is tied to the SIM card and is a unique persistent identifier representing a mobile subscriber. Carrier ID is derived from three key pieces of information – the mobile number, the carrier that the number belongs to, and the subscriber’s account with the carrier. ThreatMetrix uses this information and works with Mobile Network Operator (MNO) data aggregators to get the Carrier ID.
The service is enabled via the ThreatMetrix Integration Hub. In the case of a trusted transaction, a user’s device is registered along with user context (such as account name or account email) and a carrier ID obtained from the MNO aggregator. If future transactions reveal increased risk, an additional authentication assurance can be provided by invoking the Carrier ID service via an API.
Given a transaction, ThreatMetrix with its API can compare and verify whether a Carrier ID from a transacting device matches with the one registered, providing assurance that it’s a trusted device and user.