In my previous two blog postings, I’ve tried to briefly articulate some key elements of and value propositions associated with risk-based authentication. In this entry, I’d like to suggest some best-practices to consider as you incorporate and maintain a risk-based authentication program.
1. Analytics – since an authentication score is likely the primary decisioning element in any risk-based authentication strategy, it is critical that a best-in-class scoring model is chosen and validated to establish performance expectations. This initial analysis will allow for decisioning thresholds to be established. This will also allow accept and referral volumes to be planned for operationally. Further more, it will permit benchmarks to be established which follow on performance monitoring that can be compared.
2. Targeted decisioning strategies – applying unique and tailored decisioning strategies (incorporating scores and other high-risk or positive authentication results) to various access channels to your business just simply makes sense. Each access channel (call center, Web, face-to-face, etc.) comes with unique risks, available data, and varied opportunity to apply an authentication strategy that balances these areas; risk management, operational effectiveness, efficiency and cost, improved collections and customer experience. Champion/challenger strategies may also be a great way to test newly devised strategies within a single channel without taking risk to an entire addressable market and your business as a whole.
3. Performance Monitoring – it is critical that key metrics are established early in the risk-based authentication implementation process. Key metrics may include, but should not be limited to these areas:
• actual vs. expected score distributions;
• actual vs. expected characteristic distributions;
• actual vs. expected question performance;
• volumes, exclusions;
• repeats and mean scores;
• actual vs. expected pass rates;
• accept vs. referral score distribution;
• trends in decision code distributions; and
• trends in decision matrix distributions.
Performance monitoring provides an opportunity to manage referral volumes, decision threshold changes, strategy configuration changes, auto-decisioning criteria and pricing for risk based authentication.
4. Reporting – it likely goes without saying, but in order to apply the three best practices above, accurate, timely, and detailed reporting must be established around your authentication tools and results. Regardless of frequency, you should work with internal resources and your third-party service provider(s) early in your implementation process to ensure relevant reports are established and delivered.
In my next posting, I will be discussing some thoughts about the future state of risk based authentication.