Finance industry organizations, eCommerce businesses, and other organizations that interact directly with end-users over the web are increasingly looking for better solutions for authenticating those users. They are challenged by the demand for new, digital offerings, while they must comply with ever-tighening regulations and reduce cost of IT operations as well as of fraud.
However, changing authentication and shifting to better approaches is still challenging for many of these businesses. Password authentication is not only insecure, but it leads to poor consumer experiences and is costly for businesses to maintain. Knowledge-based authentication is an even worse alternative. In order to deter fraud, comply with new regional and industry-specific regulations, and improve the customer experience, organizations are adopting new types of modular authentication services.
Most organizations have IAM products in place already. However, many are finding that their current solutions are not able to meet consumer expectations or security requirements. There are plenty of cases where banks experienced massive cost by fraud, as well banks and other organizations were hit by attacks that exploited weaknesses in authentication and fraud management.
There are a number of motivations driving businesses to enhance their authentication solutions:
- Improve consumer experiences
- Increase security
- Reduce fraud
- Preserve privacy
- Comply with regulations requiring strong or multi-factor authentication, such as AML (Anti-Money Laundering), EU PSD2, KYC (Know Your Customer), and NY CCR (New York cybersecurity law)
Consumer authentication services today are primarily leveraging mobile devices, particularly smartphones. Given the near ubiquity of these devices, it’s not a surprise. Smartphones can serve as a second factor, or the “something you have” factor in Multi-Factor Authentication (MFA) scenarios.
The Regulatory Technical Specifications (RTS) of the Revised Payment Service Directive (PSD2) in the EU requires banks, financial institutions, and other payment service providers to offer strong customer authentication (SCA) and perform user behavioral analysis to authenticate and authorize monetary transactions. Sophisticated Consumer Authentication solutions can provide these necessary functions. Additionally, the improved customer experience possibilities that modern solutions offer will facilitate brand loyalty and give a competitive advantage to those financial companies that deploy it.
Common features of Consumer Authentication solutions include:
- Self-registration for customers, supporting a broad variety of approaches
- Flexible and seamless, non-intrusive customer journeys reducing drop-off rates
- Consent mechanisms for users to control the use of their data
- Single Sign-On (SSO) across all digital properties of the target organization
- Multiple authentications options for customers, depending on risks and policies
- Anti-fraud capabilities, mitigating risks of fraudulent access and transactions
- Flexible application integration
Callsign is a vendor that delivers an integrated solution that covers both the registration and authentication capabilities, and fraud management, while targeting a broad set of regulations including GDPR and PSD2.
2 Product Description
Callsign, headquartered in London, UK, is a vendor delivering an integrated solution that covers registration flows, strong and adaptive authentication, and identity fraud management. Their focus is on shifting from point solutions e.g. for risk-based authentication or fraud management to an integrated approach, allowing businesses to support the entire journey from registration to recurring access in an integrated, consistent solution. Focusing on an extensible platform approach, Callsign intends to enable their customers to stay ahead of new vulnerabilities and fraud attempts, both through flexible customization and intelligent adaptation of the platform, and by adding new capabilities such as additional authenticators. The target is that Callsign customers can build on a single platform that adapts to the ever-changing requirements around consumer authentication and fraud management.
Some of the fraud management and adaptive authentication capabilities of Callsign are built on artificial intelligence (AI) capabilities that analyze behavior and support anomalie identification. Callsign names this “Intelligence Driven Authentication”, by using advanced analytics and AI to analyze the signals and input collected and to make decisions based on these analytics. This allows for building flexible customer journeys, using a variety of different authenticators.
Consequently, the solution is split into three areas:
- Intelligence Engine: Artificial Intelligence & Machine Learning (Callsign Intelligence)
- Decisioning: Decisioning, Orchestration, and Journey Mapping (Callsign Policy)
- Authenticators: Possession, Knowledge & Inherence Authenticators (Callsign Authentication)
Additionally, there is the Callsign SDK for integrating the Callsign solution with the apps, websites and applications that the business uses for interacting with its customers and consumers.
The first of these modules is focused on collecting a broad variety of information to create what Callsign calls the “digital DNA” of the user. Information collected includes device information, location data, and behavioral data such as keystroke, mouse, swipe, touch dynamics, and other information. Based on the breadth of information that can be collected, depending on the configuration of Callsign’s platform as well as the user preferences, individuals can be identified after very few interactions. This results in the ability to use passive background authentication for both initial authentication and as a means of continuous authentication during a session.
Callsign is following Privacy by Design approaches in this area, specifically by collecting minimal data points. Anyway, these capabilities must be reviewed carefully with respect to the way they are used, depending on region and applicable regulations, but also customer consent and related contracts.
In the second module, Callsign Policy, the effective user journey is configured. These can be defined in a very simple way, building on natural language and allowing for configuring such journeys without coding. This is essential for rapidly adapting business requirements on such customer journeys, without lengthy coding and testing cycles. Part of that is the orchestration of authentication methods, where multiple authenticators might be used sequentially or alternatively. User journeys are displayed graphically, thus thery are easy to understand. Callsign also provides pre-built templates for common scenarios.
Such journeys are also supported for both onboarding and recurring access. They can involve consent and privacy management, as well as other aspects of registration flows. For risk decisions, both information from Callsign Intelligence and from external systems for Fraud Management and Anti Money Laundering (AML) can be used in enhanced decision making.
Based on this approach, Callsign allows for rapidly implementing optimized user journeys for different types of apps and services as well as different user groups and business cases. All journeys are managed centrally and are easy to edit. An outstanding capability in this area is the testing and simulation ability, which allows for both active testing and passive testing. While the first builds on tracking what happens when users are using the specific journey, the latter builds factually on some sort of simulation.
Furthermore, Callsign Policy Management integrates with the Privacy and Consent Management capabilities provided by the solution. Policies define when and how privacy and consent related information is collected and processed. Thus, these capabilities can be flexibly integrated into the user journeys, depending on various triggers and scenarios. It allows for working with aliases for PII, thus minimizing the PII held by Callsign. Consent can be collected and is stored by Callsign. The company is following a Privacy by Design approach, as requested by the EU GDPR, minimizing the data collected and kept.
Finally, in the third module, Callsign Authentication, the solution provides support for a variety of different authenticators, from traditional biometrics to swipe/keystroke behavioral authentication and classical SMS/Call OTP, plus many others. The support for authenticators is very broad and well-targeted at the common use cases of customer and consumer authentication in regulated industries that are the primary target of Callsign. The one major shortcoming in that area is that there is no support for FIDO Alliance standards yet, which are massively gaining momentum in authentication.
Underlying capabilities of the Callsign solution include role-based administration of entitlements for managing the platform and the user journeys. Callsign builds on a modern, modular services architecture that provides REST APIs for accessing all major capabilities, but also for integrating risk checks in the customer journeys with external services. The solution is cloud-hosted, but also can be run on premises as per customer request.
3 Strengths and Challenges
Callsign Intelligence-Driven Authentication is a solution that excels by the combination of various capabilities. While there are various consumer authentication solutions, fraud management solutions, and privacy/consent management solutions available on the market, most of the other solutions address certain aspects such as authentication or fraud management, or even focus only on specialities such as user behavior. In contrast, Callsign integrates all these capabilities in a coherent manner, with strong capabilities across all areas. Their AI capabilities add to this, providing a fully-integrated approach on risk analytics and fraud management.
Callsign has demonstrated the scalability of the solution at some large customers. While their current focus is the finance industry, the solution is attractive to various other regulated industries such as energy or government as well. The well-thought-out, modern architecture allows for rapid adaptation to different use cases and customer journeys as well as straightforward integration into existing consumer-facing UIs and apps as well as backend systems.
From a feature perspective, we recommend adding support for the FIDO Alliance standards as one major capability, and note that this is in their roadmap. Aside from that, Callsign comes with a comprehensive offering. As part of their growth, Callsign would be well-advised to consequently grow their partner ecosystem and their visibility in the market. Currently, Callsign is still a relatively small vendor.
From our perspective, Callsign is an interesting solution in the space of consumer authentication and fraud management and should be considered in product shortlists during the tools of choice processes.