KuppingerCole Report
Executive View
By Martin Kuppinger

Callsign Intelligence Driven Authentication

Callsign is a provider of an identity platform that integrates consumer onboarding, authentication, and fraud management in a well-thought-out manner. In contrast to other solutions, all capabilities are tightly integrated. The platform uses AI/ML for risk analysis and supports passive and continuous authentication. It is feature-rich and easy to use, with flexible support for creating, managing, and testing user journeys.

1 Introduction

Finance industry organizations, eCommerce businesses, and other organizations that interact directly with end-users over the web are increasingly looking for better solutions for authenticating those users. They are challenged by the demand for new, digital offerings, while they must comply with ever-tighening regulations and reduce cost of IT operations as well as of fraud.

However, changing authentication and shifting to better approaches is still challenging for many of these businesses. Password authentication is not only insecure, but it leads to poor consumer experiences and is costly for businesses to maintain. Knowledge-based authentication is an even worse alternative. In order to deter fraud, comply with new regional and industry-specific regulations, and improve the customer experience, organizations are adopting new types of modular authentication services.

Most organizations have IAM products in place already. However, many are finding that their current solutions are not able to meet consumer expectations or security requirements. There are plenty of cases where banks experienced massive cost by fraud, as well banks and other organizations were hit by attacks that exploited weaknesses in authentication and fraud management.
There are a number of motivations driving businesses to enhance their authentication solutions:

  • Improve consumer experiences
  • Increase security
  • Reduce fraud
  • Preserve privacy
  • Comply with regulations requiring strong or multi-factor authentication, such as AML (Anti-Money Laundering), EU PSD2, KYC (Know Your Customer), and NY CCR (New York cybersecurity law)

Consumer authentication services today are primarily leveraging mobile devices, particularly smartphones. Given the near ubiquity of these devices, it’s not a surprise. Smartphones can serve as a second factor, or the “something you have” factor in Multi-Factor Authentication (MFA) scenarios.

The Regulatory Technical Specifications (RTS) of the Revised Payment Service Directive (PSD2) in the EU requires banks, financial institutions, and other payment service providers to offer strong customer authentication (SCA) and perform user behavioral analysis to authenticate and authorize monetary transactions. Sophisticated Consumer Authentication solutions can provide these necessary functions. Additionally, the improved customer experience possibilities that modern solutions offer will facilitate brand loyalty and give a competitive advantage to those financial companies that deploy it.

Common features of Consumer Authentication solutions include:

  • Self-registration for customers, supporting a broad variety of approaches
  • Flexible and seamless, non-intrusive customer journeys reducing drop-off rates
  • Consent mechanisms for users to control the use of their data
  • Single Sign-On (SSO) across all digital properties of the target organization
  • Multiple authentications options for customers, depending on risks and policies
  • Anti-fraud capabilities, mitigating risks of fraudulent access and transactions
  • Flexible application integration

Callsign is a vendor that delivers an integrated solution that covers both the registration and authentication capabilities, and fraud management, while targeting a broad set of regulations including GDPR and PSD2.

2 Product Description

Callsign, headquartered in London, UK, is a vendor delivering an integrated solution that covers registration flows, strong and adaptive authentication, and identity fraud management. Their focus is on shifting from point solutions e.g. for risk-based authentication or fraud management to an integrated approach, allowing businesses to support the entire journey from registration to recurring access in an integrated, consistent solution. Focusing on an extensible platform approach, Callsign intends to enable their customers to stay ahead of new vulnerabilities and fraud attempts, both through flexible customization and intelligent adaptation of the platform, and by adding new capabilities such as additional authenticators. The target is that Callsign customers can build on a single platform that adapts to the ever-changing requirements around consumer authentication and fraud management.

Some of the fraud management and adaptive authentication capabilities of Callsign are built on artificial intelligence (AI) capabilities that analyze behavior and support anomalie identification. Callsign names this “Intelligence Driven Authentication”, by using advanced analytics and AI to analyze the signals and input collected and to make decisions based on these analytics. This allows for building flexible customer journeys, using a variety of different authenticators.

Consequently, the solution is split into three areas:

  • Intelligence Engine: Artificial Intelligence & Machine Learning (Callsign Intelligence)
  • Decisioning: Decisioning, Orchestration, and Journey Mapping (Callsign Policy)
  • Authenticators: Possession, Knowledge & Inherence Authenticators (Callsign Authentication)

Additionally, there is the Callsign SDK for integrating the Callsign solution with the apps, websites and applications that the business uses for interacting with its customers and consumers.

The first of these modules is focused on collecting a broad variety of information to create what Callsign calls the “digital DNA” of the user. Information collected includes device information, location data, and behavioral data such as keystroke, mouse, swipe, touch dynamics, and other information. Based on the breadth of information that can be collected, depending on the configuration of Callsign’s platform as well as the user preferences, individuals can be identified after very few interactions. This results in the ability to use passive background authentication for both initial authentication and as a means of continuous authentication during a session.

Callsign is following Privacy by Design approaches in this area, specifically by collecting minimal data points. Anyway, these capabilities must be reviewed carefully with respect to the way they are used, depending on region and applicable regulations, but also customer consent and related contracts.

In the second module, Callsign Policy, the effective user journey is configured. These can be defined in a very simple way, building on natural language and allowing for configuring such journeys without coding. This is essential for rapidly adapting business requirements on such customer journeys, without lengthy coding and testing cycles. Part of that is the orchestration of authentication methods, where multiple authenticators might be used sequentially or alternatively. User journeys are displayed graphically, thus thery are easy to understand. Callsign also provides pre-built templates for common scenarios.

Such journeys are also supported for both onboarding and recurring access. They can involve consent and privacy management, as well as other aspects of registration flows. For risk decisions, both information from Callsign Intelligence and from external systems for Fraud Management and Anti Money Laundering (AML) can be used in enhanced decision making.

Based on this approach, Callsign allows for rapidly implementing optimized user journeys for different types of apps and services as well as different user groups and business cases. All journeys are managed centrally and are easy to edit. An outstanding capability in this area is the testing and simulation ability, which allows for both active testing and passive testing. While the first builds on tracking what happens when users are using the specific journey, the latter builds factually on some sort of simulation.

Furthermore, Callsign Policy Management integrates with the Privacy and Consent Management capabilities provided by the solution. Policies define when and how privacy and consent related information is collected and processed. Thus, these capabilities can be flexibly integrated into the user journeys, depending on various triggers and scenarios. It allows for working with aliases for PII, thus minimizing the PII held by Callsign. Consent can be collected and is stored by Callsign. The company is following a Privacy by Design approach, as requested by the EU GDPR, minimizing the data collected and kept.

Finally, in the third module, Callsign Authentication, the solution provides support for a variety of different authenticators, from traditional biometrics to swipe/keystroke behavioral authentication and classical SMS/Call OTP, plus many others. The support for authenticators is very broad and well-targeted at the common use cases of customer and consumer authentication in regulated industries that are the primary target of Callsign. The one major shortcoming in that area is that there is no support for FIDO Alliance standards yet, which are massively gaining momentum in authentication.

Underlying capabilities of the Callsign solution include role-based administration of entitlements for managing the platform and the user journeys. Callsign builds on a modern, modular services architecture that provides REST APIs for accessing all major capabilities, but also for integrating risk checks in the customer journeys with external services. The solution is cloud-hosted, but also can be run on premises as per customer request.

3 Strengths and Challenges

Callsign Intelligence-Driven Authentication is a solution that excels by the combination of various capabilities. While there are various consumer authentication solutions, fraud management solutions, and privacy/consent management solutions available on the market, most of the other solutions address certain aspects such as authentication or fraud management, or even focus only on specialities such as user behavior. In contrast, Callsign integrates all these capabilities in a coherent manner, with strong capabilities across all areas. Their AI capabilities add to this, providing a fully-integrated approach on risk analytics and fraud management.

Callsign has demonstrated the scalability of the solution at some large customers. While their current focus is the finance industry, the solution is attractive to various other regulated industries such as energy or government as well. The well-thought-out, modern architecture allows for rapid adaptation to different use cases and customer journeys as well as straightforward integration into existing consumer-facing UIs and apps as well as backend systems.

From a feature perspective, we recommend adding support for the FIDO Alliance standards as one major capability, and note that this is in their roadmap. Aside from that, Callsign comes with a comprehensive offering. As part of their growth, Callsign would be well-advised to consequently grow their partner ecosystem and their visibility in the market. Currently, Callsign is still a relatively small vendor.

From our perspective, Callsign is an interesting solution in the space of consumer authentication and fraud management and should be considered in product shortlists during the tools of choice processes.

Strengths

  • Integrated offering supports authentication and fraud management as well as privacy and consent management
  • Broad set of authenticators supported for different types of devices
  • Modern, well-thought-out architecture, comprehensive REST APIs
  • Utilizes AI/ML for risk analysis and customer identification
  • Supports passive and continuous authentication based on that analysis
  • Can integrate with additional external threat and fraud intelligence services
  • Follows a Privacy byDesign approach and integrates Privacy and Consent Management
  • Very flexible and easy to configure customer journeys

Challenges

  • Still relatively small vendor
  • Small partner ecosystem, limiting the ability to scale globally
  • No support for FIDO Alliance standards yet (in roadmap)

Copyright

©2020 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole Analysts, founded in 2004, is a global analyst company headquartered in Europe focusing on Information Security and Identity and Access Management (IAM). KuppingerCole stands for expertise, thought leadership, outstanding practical relevance, and a vendor-neutral view on the information security market segments, covering all relevant aspects like: Identity and Access Management (IAM), Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as well as Software Security, System and Network Security, Security Monitoring, Analytics & Reporting, Governance, and Organization & Policies.

For further information, please contact clients@kuppingercole.com.

top