Advanced Authentication Needs: Why FIs Should Upgrade their Authentication Methods
In the last two years, we have seen a huge expansion in the use of digital banking. While this trend had already started before the pandemic, it was greatly accelerated when bank branches closed and the digital channel became the only option for consumers to perform banking tasks or connect with their banks.
However, the growing use of digital banking channels has gone hand in hand with a dramatic rise of fraud. During the pandemic, the number of data breaches targeting banks has continued to grow. With fraudsters aggressively targeting digital banking users, this has added more urgency for banks and financial institutions to tighten their access management and upgrade to modern, advanced authentication methods to protect their customers’ transactions and sensitive information.
Basic authentication methods and weak links in fraud defence
The use of passwords is still a persistent problem today. Password theft, along with dark-web distribution of stolen passwords (password dumping), is still the most common method fraudsters use to gain access to a user account. Consumers put themselves at risk when they use weak or recycled passwords, or compromise their own data security with unsafe behaviour, such as sharing passwords.
Furthermore, some financial services providers rely on reactive protocols, such as taking action only after fraud has been committed instead of preventing it from happening in the first place.
One underlying issue is that the security systems and legacy authentication that banks have put in place tends to exist at the front-end and back-end of digital transactions. At the front-end, banks have deployed usernames, passwords, and sometimes one-time passcodes. On the back-end, they've deployed fraud detection systems that analyse the transaction to determine whether to approve or decline it. Unfortunately, there really isn't much going on in the middle.
The missing middle piece is continuous risk monitoring throughout the banking session, from login to logout. Just because a user has a successful login doesn’t necessarily mean it’s the legitimate user interacting with the account. Relying on that point-in-time event is not enough these days. Banks and other financial institutions need to be monitoring continuously.
Banks should think about what they can do now to ensure their fraud prevention systems can deal with future threats. This includes looking beyond the banking sector to see what other online businesses are doing. Fintechs, crypto platforms, ecommerce and other digital merchants are innovating in this area. Many are turning to modern authentication protocols, such as multi factor authentication, and orchestration hubs in light of the onslaught of data breaches, identity theft, phishing scams, malware, and account takeover incidents.
Overcoming reluctance to invest in advanced authentication methods
Financial institutions tend to be risk-averse and assume their customers are as well. However, history shows that customers are not as resistant to change as banks believe. For instance, when the pandemic forced people to use digital banking, the uptake was rapid and widespread. Now that they’re used to digital banking, many consumers will continue with it.
The key is to make it easy and safe for users to do their digital banking in ways that they’re comfortable with. Biometric authentication offers a best-of-both-worlds opportunity to improve security and enhance the customer experience. In particular, fingerprint scan and facial recognition on many smartphones enable people to access mobile banking apps without the need for passwords. In addition, consumers who use biometrics to access their banking apps tend to perceive those banking apps as more secure because they leverage biometrics.
Yet, despite the urgent need for heightened cybersecurity measures as online fraud grows alongside online banking, it’s not always a priority at the enterprise level. This is due to a variety of reasons, including budget and lack of resources. The good news is, research has shown that when authentication modernisation is tied to customer experience, these projects have a much higher chance of getting funded. If banks bring new tools that improve the experience on behalf of their customers, then the line of business is likely to move these initiatives forward.
Learn more about authentication and security challenges in Web 3.0 in this interview with Security Guy TV
The advanced authentication use case: the bottom line
The threat of fraudsters gaining access to people's bank accounts is a reality. Banks and other financial institutions need to begin thinking about modernising their authentication practices with an eye toward passwordless authentication. This will enable them to authenticate without causing unnecessary friction and, in high-risk situations, apply friction-appropriate authentication.
Some security tools are better able to fight fraud than others. Companies that experience the most success over time are the ones that make the long-term investment to not only implement security tools, but to continue to improve their functionality as fraudsters continue to adapt.
The tools should evolve with the changing security environment, as should the vendors that provide security tools and services. There’s no single tool that will solve all of a bank’s digital security needs, so instead of a micro-focus on prevention, it comes down to understanding customer needs and the user experience they want.
This article, written by Michal Wawrzynski, Sales Manager at OneSpan, was first published on thepapers.com on January 14, 2022.