The fusion of authentication and fraud prevention is here. Are you ready for it?

How do you measure the performance of your authentication program? 

That is a question I’ve come back to again and again over the years. When I ask other financial services leaders how they measure the success of their authentication programs, I (surprisingly) often hear it is not tied to fraud. Nor is it tied to fraud losses. 

Sure, it may be noted in a root cause report, but there is a broader picture we should consider here. If authentication isn’t measured against confirmed fraud, how do you know where vulnerabilities actually exist?

After an account is established, authentication is often treated as a front-door control. Fraud is treated as something that happens after entry. In reality, they are two parts of the same system. 

Authentication failures don’t happen in isolation

Let’s think through a basic account takeover (ATO) scenario. 

A bad actor has the online banking credentials of a client. They successfully log into the online banking account and initiate an external transfer.  Fortunately, before the funds leave the financial institution, the transfer is stopped.

So where did the breakdown occur?

• The bad actor used a device at login that was not previously associated with the account.
• The device and behavior surrounding the login event did not match the historical pattern of the client.
• The online banking login controls did not detect the suspicious entry.
• The transaction monitoring system detected  the external transfer once it was initiated to be sent.

Each of these signals tells part of the story. But if authentication performance isn’t correlated to unauthorized attempts, then the signals remain disconnected, and you would not even know the authentication program failed here.

A fraud leader recently described the relationship between authentication and fraud prevention using a simple analogy: authentication is the bouncer at the door, while transaction monitoring is security inside the club. You need both. The bouncer ensures the right people get in, and security makes sure they behave appropriately once inside.

Occasionally, someone might slip past the door with a fake ID. That’s why the second layer exists. But the real strength comes from coordination. If security spots bad behavior inside, they remove the individual and alert the bouncer not to let them back in.

A successful, holistic risk program works in a similar way. It connects identity signals across onboarding, authentication, and ongoing account activity across all channels. It treats authentication and fraud not as separate checkpoints, but as a continuous feedback loop.

The convergence of authentication and fraud with customer experience is accelerating

An institution's fraud and authentication programs are larger than technology and losses; they’re customer experiences. Jim Mortensen from Datos Insights wrote a great article on the power of authentication across personas. The article explores how authentication is a personal interaction that directly aligns with customer relationships. 

Even if financial institutions separate authentication and fraud operationally, customers don’t experience them that way. 

From a consumer’s perspective, authentication is fraud prevention. It’s the moment they trust their financial institution to protect them from loss. 

In Alloy’s 2026 State of Scams survey, we found that 97% of consumers rank fraud prevention and security measures as important factors when selecting a financial institution. At the same time, 79% of financial institutions report that strong fraud prevention increases customers’ willingness to purchase more products and services. Protection and growth are no longer in tension. They are linked.

And yet, research shows that a majority of financial institutions lack continuous authentication throughout the user lifecycle, and many do not incorporate behavioral or device-based risk signals for real-time anomaly detection. This gap is where friction and fraud both emerge. 

Fortunately, a report from Liminal shows that 79% of buyers at financial institutions now prefer identity-focused platforms that unify authentication and fraud prevention.

Identity-centric platforms are closing that gap by unifying onboarding, authentication, and fraud signals. Instead of evaluating credentials at a single point in time, institutions can continuously assess risk using behavioral, device, and historical identity data across every client interaction.

That convergence isn’t just operational. It fundamentally transforms customer experience. 

How risk-based authentication improves customer experience

A strong fraud program has benefits far beyond mitigating losses. Preventing an account takeover is one of the most powerful customer experience moments a digital banker can deliver. 

But friction works both ways. Too little security erodes trust. Too much unnecessary friction drives frustration and abandonment. 

Enter: risk-based authentication (RBA).

Traditional authentication strategies apply the same level of friction to every user. Risk-based authentication adjusts friction dynamically based on context. 

Consider two customers who live in New York City and log in via mobile:

• Customer A has forgotten their password, but is logging in from their registered device in their usual location.
• Customer B has forgotten their password, but is logging in from a brand-new device in Mexico.

Without risk-based authentication, both customers might receive the same multi-factor authentication (MFA) challenge. 

With risk-based authentication, the experience dynamically adapts:
 

• Customer A logs in seamlessly, with no additional friction as their device is recognized, historical behavior is consistent with prior sessions, among other positive signals. As a result, the risk-based assessment is low risk and low friction, and a passive phone verification may be performed in the background.
• Customer B received a step-up verification based on elevated risk. The phone was not recognized, the device was jailbroken, and several other risk factors were present, necessitating an additional step-up verification with the client before proceeding to log in.

Why? By looking at signals (such as device, geolocation, and behavior) in combination and in the context of the full history of user behavior from first touch to ongoing activity across channels, users can be routed to tailored journeys that match the level of risk presented. A unified decisioning layer can assess identity risk holistically, enrich with third-party intelligence (e.g., not only does this device belong to the user, but is it a known risky device?), and determine with increased confidence where friction is justified.

The result is what we call a “friction-right” banking experience. Low-risk customers move through quickly. Higher-risk sessions receive stronger controls. 

This approach reduces unnecessary friction while strengthening protection where it matters most. Customers want their institutions to protect them; they just want that protection to feel intelligent, not arbitrary. 

When authentication and fraud signals work together in real-time, institutions can deliver both security and a streamlined experience. 

What comes next

The financial services industry has always evolved in waves. We’ve navigated digital transformation. We’ve seen the convergence of fraud and AML (FRAML). Now we’re entering a new phase: the convergence of authentication and fraud.

Some institutions are well into this shift. Many are just beginning.

Over the next several years, this convergence will accelerate. Institutions that treat authentication as two sides of the same identity problem will be better positioned to protect customers, reduce losses, and build lasting trust. 

The fusion of authentication and fraud isn’t coming. It’s already here.