New Jersey has recently passed legislation calling for internet and mobile gaming to provide two-factor authentication (2FA). Although 2FA has been used by companies in many industries, New Jersey’s legislation is noteworthy because it spells out what is usually considered best practice.
Speaking to SBC Americas, Thomas Hill, Head of Sports Betting & iGaming at Prove, explains why it is critical for operators to choose a multi-factor solution that not only complies with regulation but also prevents fraud and proxy betting.
SBC: For those that don’t know, talk us through the two-factor authentication legislation that New Jersey has implemented on its sports betting and igaming operators
Thomas Hill: NJ requires its sports betting and igaming operators to implement at least two distinct authentication methods. These are deployed post account sign-up in order to protect patrons from account takeover fraud. Once an individual account successfully satisfies this requirement by authenticating via the two methods, that account is exempt for the subsequent 14-day period. In other words, 2FA needs to be satisfied every 14 days (or at each log-in, if the time elapsed between account log-ins is greater than 14 days).
SBC: Why has New Jersey created legislation for two-factor authentication? Is it not already used by many operators as best practice?
Hill: The NJ Division of Gaming Enforcement (DGE) is at the forefront of protecting its citizens that participate and enjoy the digital sports betting and igaming ecosystem. Account takeover is a very common fraud vector, not just in this industry, but throughout banking, financial services…really any company with a digital presence that requires consumers to have an account is susceptible.
Specifically, the NJ DGE references credential stuffing as the most prevalent attack on internet gaming providers, which is where fraudsters use lists of compromised or breached information to attempt to gain access to player accounts. Some operators deploy 2FA methods already and others offer them to their patrons as an opt-in setting, but many do not enable it. Legacy 2FA methods typically inject some form of friction into the individual user experience.
SBC: What options do operators have when it comes to two-factor authentication? What is the best option for operators in your opinion?
Hill: Three primary categories exist: 1) information-based methods, commonly referred to as “something you know”, such as those Knowledge-based-authentication questions like “What street did you grow up on?” or “What was the make and model of your first car?” 2) Item or token based-methods, known as “something you have”, where identity is authenticated via an assessment of a unique item in the possession of the patron, such as an ID document or mobile phone. 3) Biometric methods, commonly called “Something you are”, such as a fingerprint scan or voice/face recognition matching.
My opinion is that the best options are those that authoritatively authenticate identity while also minimizing the friction that is thrust upon the consumer. Today, this is best achieved by leveraging the mobile phone that the patron is already using to access their betting/gaming app. With Prove’s tools, patrons don’t need to scan a document, their finger or face, nor do they need to answer annoying questions (the answers to which are easily purchasable in the same manner fraudsters acquire usernames and passwords). The majority of methods require action from the patron to check the 2FA box, all of which can lead to potential abandonment/disengagement. With a mobile-based approach, this can be accomplished in the background, with zero effect on the patron experience, while helping satisfy the regulatory requirement.
SBC: How critical is it for operators to choose the right multi-factor solution that not only complies with regulation but also prevents fraud and proxy betting?
Hill: Each operator will need to decide what their priorities are and how they want to impact the user experience. The advanced technologies that exist today offer a host of options to get the best of both worlds: a great patron experience that also prevents account takeover and proxy betting, which is when a friend or family member logs into someone else’s account on their behalf in order to place a bet. This is commonly done to skirt around the geolocation requirements as some states have legalized sports betting and igaming and others have not. Operators are currently battling for market share in a very competitive ecosystem and those that choose the right 2FA solutions will attract and retain more patrons by way of providing the best possible experience.
SBC: Do you see any other states copying New Jersey by adding two-factor authentication legislation as a way to prevent fraud and proxy betting?
Hill: Many states look to NJ as the tip of the spear with respect to US sports betting and iGaming regulation. It wouldn’t be surprising for other states to adopt similar legislation, especially those that are just now or in the future coming to market, as those typically have faced the most intra-state opposition on the path to legalization. Regardless of the regulatory requirements on a per state basis, proxy betting is an issue across all states and operators and the right 2FA methods can effectively minimize its frequency.
