By Peter Tapling
Data breaches continue to increase in frequency as other fraud schemes persist, causing losses for financial institutions, merchants and customers alike. Improving identity risk management for all customer-facing channels has become imperative. However, authentication today is overly intricate. Banks must therefore consider the opportunities available to apply mobile technology to simplify authentication, reduce risk and provide customers an experience they actually enjoy.
Authentication methods once considered sufficient—traditionally, passwords and knowledge-based authentication methods like challenge questions—are simply not good enough today, especially in a mobile-driven world. As new authentication methods have emerged, banks have sought to balance applying these new, stronger measures without sacrificing the customer experience. To date, the practice of layering authentication strategies has been complex, disjointed and resource-intensive.
First and foremost, we must simplify authentication. For the enterprise, this means including multiple forms of authentication within a single architecture—whether developed internally or provided by a vendor. For the customer, simplification is achieved by engaging them with authentication mechanisms appropriate to the individual transaction’s level of risk. Next, authentication must be unified across channels. Customers will appreciate authentication schemes that are consistent and rational.
Growing concern among consumers
“Moneyhawks” are the tech-savvy, mobile-minded consumers who are increasingly attractive to banks. Not surprisingly, headline-dominating data breaches have raised their awareness of fraud and its effects. According to Javelin Strategy and Research, the 31 million moneyhawks in the U.S. represent 13 percent of the U.S. adult population—but they control 41 percent of the deposits and 33 percent of investable assets. Javelin says 20 percent of moneyhawks are at high risk of leaving their primary bank or credit union, putting an estimated 103 million financial accounts and $1.1 trillion in deposits into play, plus another $5.8 trillion in investable assets. Why would these valuable consumers leave their bank? Security concerns were cited as a primary consideration, with moneyhawks also showing a significant preference for interacting via their mobile devices.
If a bank’s moneyhawks are victimized by fraud—regardless of the source of the breach—the impact could be much more severe than just the funds needed to refill the account. Many traditional authentication techniques impose a “clunky” mobile experience, further challenging banks’ efforts to protect and retain these valuable and tech-savvy customers. To better address authentication, for mobile or other transactions, banks now realize the need for an entirely new set of strategies.
Fortunately, mobile devices offer a rich set of capabilities, which can enable “always on” authentication. As voice, fingerprint and facial biometrics become more acceptable to consumers, many banks are wisely taking advantage of these authenticators as part of a layered strategy. Institutions that begin to apply modern biometrics and other measures designed to validate mobile users are not introducing friction; rather, they are better engaging customers and creating much-needed trust, using a form factor that others have helpfully made mainstream.
As exploits evolve, so must authentication
An expanded authentication strategy is not new to most banks; many are very familiar by now with layered authentication. Yet, this approach has resulted in the internal challenge of choosing, acquiring, deploying and managing a growing number of security measures. Bank leaders do not want to forego the latest innovation; however, every added solution represents a significant investment of both time and money. Every time a new project kicks off, there is an implementation process and integration, and the expenses and work involved to install and manage these systems on an ongoing basis often prove too complex to justify the change.
Fixing authentication will involve holistically managing various strategies for all customers across all channels. Continually adding hurdles for the customer is not the road to a better experience. Banks should identify a centralized, seamless integration point to accommodate multiple authenticators, and then weave authentication into the fabric of the user experience.
For any given transaction, banks need access to multiple authentication methods and the flexibility to select the most appropriate technique based on the level of risk presented. For example, if a user approaches the bank using a web browser on a machine the bank has seen before and asks to pay money to a payee whom she has already set up and sent money to in the past, not much additional authentication is required beyond, perhaps, a simple out-of-band authentication exchange of a transaction code. But if, as a counterpoint, she approaches the bank from a machine the bank has never seen before and tries to set up a new payee, and—let’s say—that the new payee has an offshore account, significantly more authentication would be required. There is not a “one size fits all” solution to manage risk for every scenario—authentication must be tailored to fit the risk in question.
The evolution of authentication
There was a day when the only authentication required was a username and password. As this and other approaches became less and less effective, techniques such as out-of-band authentication via SMS and voice have been employed with great success. Banks should consider additional authentication methods, across the spectrum of overt engagement with the end user. Solutions to consider include:
- Direct connections to mobile network operators. With a growing number of financial transactions taking place on mobile devices, it has become critical for banks to gain real-time access to data from mobile network operators such as Verizon and AT&T. Through this connection, banks can gain insight into the current, accurate status of a mobile device to authenticate the user.
- Incorporation of biometrics. Biometrics can be a game changer for authentication. Biometric techniques and user acceptance of biometrics have evolved dramatically in recent years. These practices are proving very effective for banks to determine first, whether they are interacting with a human, and second, if it is the correct human. While iPhone users are already familiar with fingerprint biometrics, this will continue to expand to facial, iris and even vein recognition. Biometrics are very effective when employed in a layered strategy; behavioral biometric technologies are now capable of evaluating how a user interacts within an online portal or a mobile device. These techniques can provide risk information of a biometric nature without requiring the customer to do anything beyond normal interaction with the banking system.
- Device binding. Binding the use of any authenticators to known devices significantly reduces the entry points for hackers. Even for something as simple as a password, accepting a password via an open website or app is much riskier than accepting a password from only a known device.
Applying authentication in a holistic way
Banks need the flexibility to easily deploy the most appropriate authentication strategy for a given transaction based on the risk associated with that transaction at that point in time. They must ensure they are able to rapidly take advantage of new authentication capabilities as they become available. For the moneyhawks, this is in the timeframe of an app update, not over the course of two or three years. By doing this, banks can optimize their customer experience and manage identity risk effectively.
Sharing insights across the industry will also optimize authentication and reduce the threats posed by even the most sophisticated cybercriminals. The more risk-related insights that financial organizations share with one another, and the more institutions that take advantage of such sharing, the more effectively we can all protect the global financial system.
The dark forces exploiting the Internet are persistent, determined and collaborative. It will take authentication approaches that are risk-managed, layered and consumer-friendly to defeat them. Banks must simplify and unify authentication to better protect customers’ digital lives.
Peter Tapling is president and CEO of Authentify, an authentication platform offered by bank-owned risk management firm Early Warning.