User authentication has been a chief security concern for financial institutions (FIs) for many years, and is arguably more pressing today than it has ever been before.
The modern financial services industry encompasses an expanding array of channels through which consumers can log into their accounts, authorize transactions and make payments. The upside of this is increased convenience and a stronger customer experience, but the downside is a wider range of potential attack vectors for criminals to exploit and banks to defend against.
It’s therefore more important than ever that FIs are investing in the latest and most reliable methods of user authentication, to minimize the risk of bad actors successfully impersonating genuine customers.
So what are the latest developments on this front, and have we reached a point where traditional safeguards such as user IDs and passwords are no longer enough?
Authentication ‘at a crossroads’
The financial services sector could be approaching a decisive turning point, as far as user authentication is concerned. There is a strong argument that the traditional username and password protections used in online banking, for example, are no longer sufficient to prevent fraudulent access.
Criminals have had several years to come up with ways of getting around these identity checks, so it’s vital that FIs are investing in the latest and strongest authentication systems.
According to the 2017 State of Authentication Report, which was produced by Javelin Strategy & Research and sponsored by the FIDO Alliance, many businesses continue to rely on passwords, even though more advanced options are available.
Among those organizations that use two-factor authentication, the most common secondary checks are knowledge-based – such as static questions – as opposed to possession-based systems such as security keys or on-device biometrics.
Al Pascual, senior vice president and research director, at Javelin, said: “Many consumer devices are coming equipped with built-in capabilities that enable high-assurance strong authentication, reducing costs and complexity for all stakeholders.”
Brett McDowell, executive director at the FIDO Alliance, added: “So many of our commercial transactions today take place over the internet, and we’ve seen time and again that passwords, and even one-time passcodes, do not provide sufficient protection against today’s threats.”
So what is the future of authentication?
As the Javelin research suggested, one technology that holds a lot of potential is biometric authentication.
An increasing number of consumer devices – perhaps most notably the recently launched iPhone X, which comes equipped with facial recognition – now offer biometric capability. This means users are becoming increasingly comfortable with identifying themselves via a fingerprint or facial scan, and widespread rollout of biometric authentication is becoming more feasible for FIs.
It should be remembered that, like any new security technology, biometrics could raise its own unique questions and concerns. What contingency plans are in place if a consumer’s biometric data is somehow stolen or compromised in a data breach, for example?
In a recent article for Harvard Business Review, Sridhar Muppidi, chief technology officer for identity and access management solutions at IBM Security Systems, argued that two-factor authentication is no longer sufficient to keep users safe.
He pointed out that an increasing number of FIs are taking a layered, multifactor approach. This might involve augmenting identity checks such as PINs, passwords and fingerprints with additional strategies such as using push notifications to link an individual’s identity with a particular device, rather than a phone number that could have been ported to a separate phone or SIM card.
Techniques such as behavioral analysis could also come into play to complement multifactor authentication.
As far as future technologies are concerned, blockchain could have a part to play in user authentication in the future. Coindesk recently reported on a patent application by Sony that hinted at possible plans to use a blockchain platform to generate and receive unique user codes, as part of a multifactor authentication system.
With so much innovation and potential change occurring in this space, it’s possible that the days of the traditional username and password are numbered. If this makes life more difficult for the criminals and provides more protection for banks and their customers, it can only be a good thing.