Treasury’s Raskin Calls for ‘Dynamic’ Authentication

Noting that cybersecurity challenges continue to grow, Deputy Treasury Secretary Sarah Bloom Raskin today called for “better solutions” to customer bank account access that “tak[e]into account user behavior,” such as a combination of biometrics, user behavior profiles and multi-factor authentication. In a speech at a cybersecurity event in Cambridge, Mass., she noted that the “human role” in cybersecurity warranted higher levels of customer account security.

Raskin panned the use of simple passwords to access accounts, noting that passwords are often stolen and security questions are easily guessed. Instead, she highlighted “the next generation of online identity verification,” which combines “what customers know and have, with what they do.” Hundreds of subtle data points, from left-handedness to typing speed, can be combined into a user profile to verify identity, forcing additional security steps if a user’s pattern abruptly changes.

“When combined with multifactor authentication, this dynamic approach to authentication addresses the later stages of a cyber incident, after the attacker has entered and is attempting to move laterally around a network,” she said. “It can also streamline architecture by allowing for the removal of less effective methods.”

Raskin noted that in the past few years, cyber threats have evolved from blunt distributed denial of service attacks aimed at bringing down a bank’s website to more complex and insidious attempts to access customer accounts and bank systems, whether through spear phishing, ransomware or stolen credentials. “The stakes for individuals, institutions, and governments — certainly high in 2014 when only DDOS attacks were the norm and I began this work — today are even higher,” she said.