3 Key Requirements for the Best Passwordless Authentication Solutions

David Vergara, May 18, 2022

Financial institutions are increasingly evaluating and deploying passwordless authentication solutions to address sophisticated fraud, poor user experience, and the high operating costs of passwords.

Fraud exposure for banks is astounding. Lost and stolen passwords are the raw fuel for account takeover (ATO), data breaches, and other fraud. Today the Dark Web has exposed over 15 billion stolen passwords, many of which banking customers reuse across multiple sites and digital ecosystems. This enables explosive increases in fraud, costing banks and businesses about $6.9 billion, according to FBI estimates. Passwordless solutions are inherently better at preventing fraud as there is simply nothing for hackers to crack or steal via mobile malware, trojans, or social engineering.

Although managing fraud is important, revenue growth is even more so. According to a recent Forrester survey, 39% of banks said growth tops their priorities. The keystone to digital channel growth is providing user-friendly experiences. The easier it is for a bank customer to securely access their banking application, the more services they utilize — boosting revenue. Passwordless solutions deliver precisely this low-friction user experience.

And lastly, password-based platforms are much more costly to support than passwordless ones. According to a Ponemon Institute Survey last year , passwordless authentication saves an average business about $1.9 million in costs with an significant amount representing saved helpdesk costs tied largely to password resets.

Clearly passwordless authentication can address each of the three challenges above, but what solution capabilities are key to a successful passwordless authentication service or deployment for a bank? Following are the top three with the greatest impact:

  • Broad range of passwordless authentication methods
  • Ability to address sophisticated fraud at login and post-login
  • Speed and flexibility deploying new passwordless authentication technologies

Next, we’ll dig into each of these three requirements in more detail.

Broad Authentication Methods

An effective passwordless authentication strategy and deployment absolutely requires a wide range of supporting multi-factor authentication (MFA) technologies. This can include a mix of both hardware (i.e., a smart card) and software (i.e., security key) in hybrid deployments. This is so important, because the move to passwordless is a journey that must take into account the expectations of each of your bank customer segments as well as the appropriate level of security to mitigate fraud.

For example, one bank customer group may be completely OK logging in to their bank application via a biometric face scan or fingerprint scan on their mobile devices, while other customer groups prefer a push notification to gain access. The expectations across these various end-user groups will also change by use case. So, conducting a simple balance check could be carried out with a biometric method. But a high-value funds transfer may require a more secure, encrypted color QR-like code to authenticate the user and their transaction. Such a code can simply be scanned via mobile or hardware token to provide the highest levels of protection from social engineering and person-in-the-middle (also referred to as man-in-the-middle or MitM) attacks.

Without the ability to easily combine and deploy a variety of passwordless software and hardware authentication methods, banks run the risk of disenfranchising key user segments.
In short, any approach to the passwordless journey must keep customer expectations of the login experience front-and-center and allow for mixing and matching authentication options, including both hardware and software, to best suit each group’s expectations across banking channels.

Sophisticated Fraud Mitigation

Using passwordless authentication to deliver a great user experience is fantastic, but not truly helpful unless it prevents the wide array of fraud schemes that currently exist in the wild. The most successful fraud attacks are not brute force attacks or malicious code to infiltrate the on-premise identity and access management or active directory system. The most successful attacks today are directed at the bank customer (i.e., social engineering) and the mobile banking application (i.e., malware and trojans).

According to a Statista Report, banks are the top three most targeted organizations for phishing attacks and another report showed a 300% increase in phishing targeting bank customers. Additionally, widely available phishing kits for sale on the Dark Web make it quick, easy, and cheap to host phishing sites that enable attacks on bank customers.

Fraud in the mobile banking channel is also important to consider. According to an Aite-Novarica survey, 65% of consumers across US, UK, and Germany access their account via mobile at least once a week. When you consider this growing mobile reliance with a recent DevSecOps survey that showed that 47% of developers see security as important, but don’t have time to spend on it, an alarming theme emerges — increasing mobile usage with less security going into mobile apps for banking. So, protecting the passwordless authentication workflow and ensuring strong authentication within the banking application is critical.

A comprehensive passwordless authentication solution that addresses these fraud risks blends passwordless authentication factors with complimentary security technology. The optimal solution includes a phishing-proof passwordless method like OneSpan’s Cronto technology, along with application shielding, secure channel, and continuous session monitoring.

  • Cronto is a strong passwordless technology and, being initiated by the bank, effectively mitigates phishing attacks.
  • Application shielding protects the mobile banking app from tampering, reverse engineering, and malware that can expose credentials and fuel account takeover fraud.
  • Secure channel provides an encrypted client-server communication that thwarts person-in-the-middle attacks.
  • Continuous session monitoring looks beyond initial login to ratchet up security for other “same session” activities like a beneficiary change.

Although it’s clear that hackers have extensive tools at their disposal to drive ATO and related fraud, passwordless authentication paired with these complimentary security technologies is well suited to prevent even the most sophisticated attacks while also delivering the best, frictionless user experience.

Extensible Authentication Platform

Building on the varied types of passwordless authentication technologies and the ability to detect and prevent fraud, is the need for a flexible underlying platform that allows for simple, ad hoc changes when required.

This may not be the best example, but stick with me here. It’s 2017 and NIST officially states that SMS for 2FA is a deprecated solution. Why? The vulnerabilities have been well documented. For example, SS7 Network security flaws that can be used to intercept or reroute an SMS message containing a one-time password (OTP). Or SIM swapping, which entails tricking a mobile provider into issuing them a new SIM card with your bank customer’s number allowing the fraudster to receive all OTPs and access accounts.

If you are the bank’s IT/Security Manager and you’re utilizing SMS OTP, what do you do? How easy is it to deploy a new authentication method? What is the customer impact?

For many banks, the user authentication method and workflow are hard-coded. This effectively means that any change of the authentication method would require a complete rewrite of the banking application code and related authentication workflows. Obviously, this is at significant expense to the bank and increases the risk of disruption to bank customers.

A truly flexible, cloud-based passwordless authentication platform allows for dynamic, on-the-fly changes to authentication methods that can be pushed out to production in minutes. And there are many more secure options than SMS OTP that can be utilized in your passwordless MFA, including push notification, Cronto, and biometric authentication (i.e., native device biometrics, 3rd party biometrics, behavioral biometrics, open standard-FIDO and next-gen versions of all).

In the end, if any authentication method becomes vulnerable, banks absolutely need a platform that can deliver quick and easy changes without impacting customers. Without this capability, exposure to fraud goes up exponentially.

Passwordless Headwinds

Security projects, like passwordless authentication, are always subject to scrutiny in terms of bank business priorities. Often the following questions come up: “How does this project align with our growth goals?” or “How does this project impact operating costs?”

The case for passwordless authentication has gained considerable momentum over the last few years. In large part this is due to digital transformation initiatives that prioritize customer experience, which drives growth. In fact, a recent Forrester survey shows 66% of bank decision-makers are planning to implement, currently implementing or expanding digital transformation projects. The focus of these projects is expanding capabilities and digital experiences in growing channels like mobile, which passwordless authentication enables. In this same UX vein, 97% of consumers say a smooth, easy experience is important criteria when selecting a service provider, according to Aite-Novarica research.

OneSpan’s Approach to Passwordless

OneSpan’s approach to passwordless authentication has been built on over 30 years of experience serving as a strategic partner to the largest global banks.

Banks rely on OneSpan for passwordless solutions as we understand that passwordless authentication is a journey and the key is our ability to focus on the ideal starting point that addresses each bank’s near-term goals.

For precisely this reason, our solutions are modularized to address specific requirements when needed. This may be a migration from hardware to software with a hybrid deployment in the mid-term. It may be taking the next evolutionary step in security from SMS OTP to biometric, push notification, authenticator apps, or encrypted Cronto codes. Or an even more comprehensive approach to passwordless authentication, leveraging complementary security technologies that can secure the mobile banking application (and bank customer data) via application shielding and continuous session monitoring that can detect anomalous activity post-login to prevent more fraud.

In short, OneSpan embraces a holistic approach to passwordless authentication that considers the user experience, fraud management, and operating costs when facilitating secure access – ultimately enabling banks to reach their goals on time and budget.

Highlights Reel

In closing, a comprehensive passwordless solution is well suited to address the three primary challenges faced by financial institutions: sophisticated fraud, poor user experience, and high operating costs.

Keep in mind, however, that not all passwordless solutions are alike, just like not all security solutions are alike. Those that offer the widest variety of authentication methods (hardware and software), prevent modern phishing and malware attacks, and are built on a flexible, quick-to-deploy platform provide the greatest path to success in achieving banks’ business goals.

Why Forgetting Your Password Is Safer than Having One: Tips for Effective Passwordless Authentication

Why Forgetting Your Password Is Safer than Having One: Tips for Effective Passwordless Authentication

Watch this webinar to learn how a passwordless approach to authentication can fully address all the limitations of passwords for bank customers.

Watch Now

David Vergara is Senior Director of Security Product Marketing at OneSpan and has over 15 years of experience in cloud platforms/SaaS, predictive analytics, and advanced MFA technologies. His current role is focused on GTM strategy and execution across all authentication and risk analytics product lines. Prior to OneSpan, he led product and GTM strategy for tech companies, including roles as VP Marketing for Accertify (An American Express Company) and Sr. Director Product Marketing at IBM.