More and more transactions involve a user operating a mobile device, such as a smartphone. A common example of a transaction is a purchase transaction, wherein the user or consumer utilizes his or her mobile device to purchase goods and/or services from a merchant. It is important to securely authenticate users involved in transactions, and authentication typically includes prompting the user to enter a personal identification number (“PIN”) or the like. However, it is becoming increasingly important to provide additional authentication layers (sometimes referred to as “multi-factor” authentication) for improved security and authentication.
Many mobile devices include one or more authenticators or authentication components that can be utilized by users or consumers to input authentication data during a transaction. For example, a smartphone may include one or more authenticators, such as a fingerprint sensor, a digital camera (that can be utilized to obtain facial data or iris scan data, for example), a keypad and/or touch screen (that can be used to enter a predetermined pattern and/or a personal identification number (PIN), and the like). However, mobile device market fragmentation has resulted in many different types of mobile devices, for example, smartphones and/or tablet computers running different flavors of the Android™ operating system (OS), which are fabricated by different manufacturers and support different sets and/or types of authenticators. Each mobile network operator (MNO) typically supports a very large number of users or subscribers to its platform, which makes it difficult or nearly impossible for an NMO to determine one optimal set of authentication components that are common to all the mobile devices currently utilizing the mobile telephone network, and that also meet the security criteria envisaged by an entity (such as an issuer of payment card accounts). MNO's attempt to solve this problem by designating “default rules” to cover all users regarding user authentication. However, such default rules are usually generic to accommodate all the different types of mobile devices at the expense of excluding newer or more secure authenticators, for example, that may be found on “flagship” mobile devices that have not yet achieved much market penetration.
Thus, methods have been proposed which enable end users (consumers) to select one or more authentication components available on his or her own mobile device for use to provide authentication data, and/or to override the authenticators associated with the default rules. However, this approach has disadvantages. A first disadvantage is that users or consumers must be willing and able to take action to designate one or more available mobile device authenticators in accordance with authentication requirements of third party entities, such as issuer financial institutions. A second disadvantage is that an entity, such as an MNO, must also provide a facility (such as a web portal) which is accessible to users for selecting and applying any necessary changes to designate one or more authentication components.
It would therefore be desirable to provide methods and systems that automatically configure user authentication rules for use in transactions (such as purchase transactions and/or payment transactions) for each of a plurality of users and their mobile devices, which processes and/or systems satisfy various predefined criteria (such as third party entity authentication rules), use available mobile device authentication components, account for one or more risk factors, and/or accommodate consumer preferences.