Frictionless Authentication: What is it?

Frictionless authentication is a form of automated identity verification designed to be smooth, seamless, and less intrusive than traditional authentication methods. It aims to enhance user experience by minimizing or eliminating the need for active user input, like typing a password, while maintaining a high level of security.

The key advantage of frictionless authentication is the balance it strikes between security and convenience. By reducing the need for active user inputs such as passwords, it offers a more seamless experience, potentially increasing productivity and user satisfaction, while still maintaining a strong level of security. However, it’s important for systems utilizing frictionless authentication to have strong privacy protections, as they often deal with personal and other sensitive data.

How Does Frictionless Authentication Work?

There are several potential components to a frictionless authentication solution. They include:

• Biometrics: Frictionless authentication often uses biometric data such as facial recognition, voice recognition, or eye scans. These methods are less intrusive to users as they don’t have to remember passwords or other authentication methods – they literally are the authentication method!

Figure 1: Types of Biometric Authentication (Source: Spiceworks)

• Behavioral Analysis: This involves monitoring the user’s behavior and patterns, such as mouse movements, typing rhythm, or even the way the user interacts with a device. The system learns these patterns and can authenticate based on the observed behaviors matching the known profile.

• Location Factors: Authentication can be influenced by the user’s location. For example, a device might recognize nearby Wi-Fi networks or Bluetooth devices or use GPS data to determine if the user is in a familiar location.

• Device Recognition: Devices themselves can be a part of the authentication process. A system might recognize a user’s laptop, smartphone, or wearable device as one of multiple factors in authentication. Device recognition often includes the use of a security key, or “dongle”, to support recognition of the device.

There are also different implementations and methods of frictionless authentication, including:

• Continuous Authentication: Unlike traditional methods where authentication happens once at the login stage, frictionless authentication can be continuous, where the solution continually verifies the user’s identity in the background, providing ongoing security throughout the session.

• Risk-Based Authentication: This method involves assessing the risk of a particular action or request. If the action seems typical and low risk, the system might require less rigorous authentication. If it’s unusual or high risk, additional authentication might be required.

• Multi-Factor Authentication (MFA): Frictionless authentication can be part of MFA, where it’s one of several layers of security. For example, a system might use frictionless methods primarily but require a password or PIN for more sensitive actions.

Figure 2: Risk-Adaptive Authentication Leveraging Context and Behavioral Biometrics (Source: Semantic Scholar)

Challenges Associated with Frictionless Authentication

While there are several benefits associated with frictionless authentication, there are some challenges as well. They include:

• Privacy Concerns and Security Risks: Since frictionless authentication often relies on personal and biometric data, there are privacy concerns. Unlike other personal data which can be changed if compromised (even a social security number can be changed through your local Social Security office), biometric data is unique to the individual’s physical attributes. As a result, if a hacker gains access to biometric data, it can be more problematic than a compromised password.

• Reliability Issues: Behavioral and environmental factors can change over time. For example, a user’s typing pattern might change due to injury, or their routine locations might shift due to a change in job or home. This can lead to false rejections and a frustrating user experience.

• Potential for Discrimination and Bias: Biometric systems, like facial recognition, can sometimes have biases, particularly against certain ethnic groups or genders, leading to unequal experiences or security levels for different users.

• Data Management and Storage: Collecting and storing large volumes of personal and biometric data requires a strong infrastructure and requires clear definition of data management and information governance practices.

• Legal and Regulatory Compliance: Various laws and regulations around data privacy and protection – such as GDPR in Europe – dictate compliance when implementing frictionless authentication where that data is going to be stored, processed, and used.

• Implementation Cost and Complexity: Frictionless authentication systems can be more costly and complex to implement and troubleshoot than traditional authentication methods. These costs include those related to technology development, maintenance, and potentially handling security breaches. As a result, the return on investment (ROI) for implementing frictionless authentication can be unclear, especially if the current authentication methods are deemed sufficient by the organization’s leadership.

• User Acceptance, Trust and Cultural Readiness: Securing user trust and acceptance for frictionless authentication systems can be challenging, given concerns about surveillance. If the organization’s culture is resistant to change or if there’s a lack of leadership support, implementation can be difficult.

Addressing these challenges for frictionless authentication is essential to ensure its successful and ethical implementation. Balancing security, user convenience, and privacy remains an important challenge in the implementation of this technological approach.

Considerations for Implementing a Frictionless Authentication Approach and Solution

Implementing frictionless authentication involves a comprehensive approach that addresses technical, user experience, and security considerations. Here are some of the considerations for implementing a frictionless authentication approach and solution:

• Assess User Requirements and Tolerances: Understand the specific needs of your users and the context in which the authentication will occur. Different user groups may each have unique requirements and tolerances for frictionless authentication.

• Choose the Right Technology for Your Organization: It’s important to select the technology components that fit your organization’s needs. Options include biometric authentication (like facial recognition, fingerprint scanning, iris scanning), behavioral biometrics (like keystroke dynamics, gait analysis), and contextual factors (like location, device recognition).

• Ensure Integration with Existing Infrastructure: Ensure that the frictionless authentication solution integrates smoothly with your existing security infrastructure. This might involve interfacing with existing user databases, identity management systems, and MFA frameworks.

• Address User Privacy and Consent: Address privacy concerns by being transparent about what data is collected, how it’s used, and where it’s stored. Obtain user consent where necessary, especially for the collection and use of biometric data. Ensure compliance with legal and regulatory requirements related to data protection and privacy, such as GDPR.

• Consider Continuous and Risk-Based Authentication: Instead of a one-time authentication at login, consider continuous authentication, where the system constantly checks the user’s identity. Also, consider a risk-based authentication approach, which adjusts the authentication level based on the risk profile of the user’s actions.

• Strengthen Data Security: Given the sensitivity of biometric and behavioral data, strong data encryption and secure storage practices are more important than ever. Regularly review and update security measures to protect against emerging threats.

• Include Testing for Accuracy and Bias: Thoroughly test the system for accuracy and bias, ensuring it correctly identifies authorized users while blocking unauthorized access, as well as to ensure it works fairly and effectively across different user groups (especially in biometric systems). Plan for potential failure with fallback mechanisms, such as requesting a password or security question if the frictionless method fails.

• Educate and Support Users: Provide clear information and support to users about how the system works, its benefits, and how to use it. Address any concerns and assist any who may have trouble with the authentication process.

• Start With a Pilot: Start with a pilot implementation to gather data and feedback. Use these insights to refine the system before scaling it up for wider deployment.

Examples of Frictionless Authentication Solutions

Here are a few examples of frictionless authentication solutions that can be implemented and used as part of your overall authentication process:

Microsoft Authenticator: Microsoft Authenticator is a free app for iOS and Android that enables passwordless authentication using biometric recognition or one-time codes. With the free app, you can sign in to your personal or work/school Microsoft account without using a password. You can use the Authenticator app as a way to sign in if you forget your password and you can also use the app to back up and restore all your other account credentials. You can even use the Microsoft Authenticator to sign in to your non-Microsoft accounts.

Google Authenticator: Google Authenticator is a free app for iOS and Android that enables passwordless authentication using one-time codes. It adds an extra layer of security to your online accounts by adding a second step of verification when you sign in. This means that in addition to your password, you’ll also need to enter a code that is generated by the Google Authenticator app on your phone. The verification code can be generated by the Google Authenticator app on your phone, even if you don’t have a network or cellular connection.

Yubico Security Keys: Yubico Security Keys, also called Yubikeys, are physical “dongle” devices that can be used for passwordless authentication. They use public-key cryptography to authenticate users without the need for passwords securely. Yubikey’s biggest customers include Google, which has bought over 1 million Yubikey dongles for employee use as of the end of 2020.

Apple Touch ID and Face ID: Touch ID and Face ID are biometric authentication systems available on Apple devices that enable passwordless authentication using fingerprints and facial recognition, respectively. Apple claims that Face ID is statistically more advanced than Touch ID fingerprint scanning and exhibits significantly fewer false positives. But it does require the entire face to be displayed, which became a problem during the pandemic when so many of us were wearing masks in public.

Android Fingerprint and Facial Recognition: Like Apple’s Touch ID and Face ID, Android uses facial and fingerprint recognition as biometric authenticators for some mobile devices. Because there are several brands of Android devices (e.g., Samsung, Google, etc.), the implementation on each device varies.

Windows Hello: Windows Hello is an authentication technology that allows users to sign in to their Windows devices using biometric data, or a PIN, instead of a traditional password. It provides enhanced security through phish-resistant two-factor authentication, and built-in brute force protection. Windows Hello for Business is an extension of Windows Hello that provides enterprise-grade security and management capabilities, including device attestation, certificate-based authentication, and conditional access policies. Policy settings can be deployed to devices to ensure they’re secure and compliant with organizational requirements.

Google Titan Security Keys: While not entirely frictionless, Google’s Titan Security Keys provide a two-factor authentication solution that can work seamlessly with many services to enhance security without significant friction. Titan Security Keys provide cryptographic proof that users are interacting with the legitimate service that they originally registered their security key with and that they are in possession of their security key.

Okta Adaptive Multi-Factor Authentication (MFA): Okta offers Adaptive MFA, which provides user authentication through a range of factors including biometrics, smartphones, and behavioral factors. Adaptive authentication means the system is flexible depending on how much risk a user presents.

Incognia: Incognia uses location-based authentication via advanced location signals to reduce authentication friction and detect fraud. Incognia’s technology is designed to be highly resistant to location spoofing and offers superior precision for accurate authentication. Working passively in the background, Incognia’s passwordless authentication solution uses GPS, Wifi, Bluetooth, and device intelligence to determine whether the user logging in is at or near one of their Trusted Locations.

BioCatch: BioCatch focuses on behavioral biometrics, analyzing user behavior patterns such as how they type, swipe, or interact with a device to authenticate users and detect fraud.

Plurilock: Plurilock provides continuous authentication using behavioral biometrics, monitoring user behavior in real-time to ensure that the user accessing the system is the legitimate user.

Zighra: Zighra offers a patented AI-powered continuous authentication solution that learns from the user’s unique behavioral patterns to provide seamless security.

Please note that this list is not comprehensive and available solutions are subject to change. Conduct your own research when you’re ready to consider implementing one or more frictionless authentication solutions.

Conclusion

The growing popularity of frictionless authentication solutions is driven by the increasing demand for secure, convenient, and user-friendly methods of verifying identity in both personal and professional contexts. As traditional authentication methods, such as passwords, continue to be vulnerable to security breaches and present usability challenges, businesses and consumers alike are turning to frictionless options.

The shift to frictionless authentication options not only enhances user experience by minimizing disruptions and delays but also can strengthen security by employing more personalized and difficult-to-replicate authentication factors. With the rise of digital transactions, remote work, and the Internet of Things (IoT), frictionless authentication is becoming increasingly important for protecting sensitive information while accommodating the speed and ease of modern digital interactions.

ABOUT THE RESEARCH

This document was created by a human analyst in collaboration with generative AI.  The final content was developed, reviewed and edited by a human editor to ensure accuracy, originality, and adherence to applicable legal standards.

ABOUT HALOCK SECURITY LABS

HALOCK is a risk management and information security consulting firm providing cybersecurity, regulatory, strategic, and litigation services. HALOCK has pioneered an approach to risk analysis that aligns with regulatory standards for “reasonable” and “appropriate” safeguards and risk, using due care and reasonable person principles. As the principal authors of CIS Risk Assessment Method (RAM) and board members of The Duty of Care Risk Analysis (DoCRA) Council, HALOCK offers unique insight to help organizations define their acceptable level of risk and establish reasonable security. Cyber Security and Risk Management Consulting Firm | HALOCK

HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, duty of care, key acts and laws, and more that impact your risk management program.

SCHEDULE YOUR FULL HALOCK SECURITY BRIEFING