Advanced Authentication: A Plan of Attack for Your Authentication Stack
The last year has seen a dramatic expansion in digital banking and this is driving the need for modern, advanced authentication methods. In fact, during March and April 2020, some banks reported up to 200% increases in the number of customers accessing digital banking self-service channels for the first time, through a mobile device or web browser. At least four out of five, if not more, of these new end-users will continue to do some of their banking online. With fraudsters aggressively targeting digital banking users, this adds more urgency for banks to tighten their access management and upgrade to a modern authentication stack to protect customers’ transactions and sensitive information.
Recently, OneSpan hosted a webinar on how financial institutions can create a plan to modernize their authentication, overcome reluctance to invest in authentication, and gain executive buy-in. The webinar was presented by David Mattei, Senior Analyst from Aite-Novarica Group's Fraud & AML practice, and OneSpan.
If you missed it, here are the top takeaways. You can also view the full webinar on-demand.
Weak Links in Fraud Defenses and Basic Authentication
Aite-Novarica Group's research shows that between approximately 2005 and 2012, banks stood out as leaders in protecting online accounts.
Yet today, passwords have become a persistent problem. Password theft, along with dark-web distribution of stolen passwords (password dumping), is still the most common method fraudsters use to gain access to a user account. Consumers put themselves at risk when they use weak or recycled passwords, or compromise their own data security with unsafe behavior, such as sharing passwords. Furthermore, some financial services providers rely on reactive protocols, such as taking action only after fraud has been committed instead of preventing it from happening in the first place.
One underlying issue is that the security systems and legacy authentication that banks have put in place tends to exist at the front-end and back-end of digital transactions. Unfortunately, there really isn't much going on in the middle.
"At the front-end, banks have deployed usernames and passwords, and one-time passcodes (OTP). On the back-end, they've deployed fraud detection systems that analyze the transaction to determine whether to approve or decline it," Mattei says.
The missing middle piece is continuous risk monitoring throughout the banking session, from login to logout. Just because a user has a successful login doesn’t necessarily mean it’s the legitimate user interacting with the account. Relying on that point-in-time event is not enough these days. Banks and other financial institutions need to be monitoring continuously.
Another vulnerability that banks need to address is knowledge-based authentication (KBA). This basic auth strategy refers to security questions such as: "Who was your first-grade teacher? Who is your favorite movie star? What was your previous phone number?" Social media posts often ask people to volunteer this kind of information, which they freely do, without realizing that fraudsters are behind the posts and they’re taking note of the answers for the purpose of account takeover.
Mattei urges banks to think about what they can do now to ensure their fraud prevention systems can deal with future threats. This includes looking beyond the banking sector to see what other online businesses are doing. Fintechs, crypto platforms, e-commerce and other digital merchants are innovating in this area. Many are turning to modern authentication protocols, such as multi factor authentication, and orchestration hubs in light of the onslaught of data breaches, identity theft, phishing scams, malware, and account takeover incidents.
Orchestration Hubs are the Way of the Future
Recently, security experts have been seeing great promise in authentication and fraud prevention orchestration hubs. Orchestration hubs monitor the entire transaction’s risk profile from the start of the banking session all the way through to the end. This continuous monitoring usually takes place behind the scenes, so the customer is not inconvenienced. For instance, an orchestration hub that has an advanced fraud prevention system at its core, can use artificial intelligence and machine learning to evaluate whether a user’s behavior aligns with what’s expected of a real person making a legitimate transaction. If a transaction’s risk signals set off alarm bells, the customer's digital identity can be confirmed with a new authentication challenge and second factor, thereby ensuring secure access to the application.
Orchestration, strong authentication, and real-time fraud monitoring are ideal for improving digital banking security without impeding the customer experience. Hubs that bring these capabilities together enable banks to share information internally across teams, with less manual tracking and intervention. Picture automated tools used across different departments, communicating with each other to identify fraud – no matter where in the organization it was first detected.
The various tools used in this area include passive and active technologies. Examples of passive tools, which Mattei refers to as "friction free", are device fingerprinting, behavioral biometrics, IP/geolocation tracking, bot detection, and credential stuffing detection.
In the category of active tools, which Mattei calls "friction appropriate", are:
- Biometric authentication
- Document-based identity verification
- One-time password (OTP) delivered via push notifications, authenticator apps, hardware authenticators, or SMS
Overcoming Reluctance to Invest in Advanced Authentication Methods
Financial institutions tend to be risk-averse and assume their customers are as well. So, the worry is that if they switch from legacy authentication methods like passwords to modern authentication solutions, such as multi-factor authentication (MFA) or even two-factor authentication, customers will take their accounts elsewhere. But history shows that customers are not as resistant to change as banks believe. For instance, when COVID restrictions forced people to use digital banking, the uptake was rapid and widespread. Now that they’re used to digital banking, many consumers will continue with it.
The key is to make it easy and safe for users to do their digital banking in ways that they’re comfortable with. Biometric authentication offers a best-of-both-worlds opportunity to improve security and enhance the customer experience. In particular, fingerprint scan and facial recognition on many smartphones (including TouchID and FaceID on Apple iOS) enables people to access mobile banking apps without the need for passwords. In addition, consumers who use biometrics to access their banking apps tend to perceive those banking apps as more secure because they leverage biometrics.
Yet despite the urgent need for heightened cybersecurity measures as online fraud grows alongside online banking, it’s not always a priority at the enterprise level. This is due to a variety of reasons, including budget and lack of resources. It comes down to finding the right balance between what’s an acceptable level of fraud risk or fraud losses for the bank. As long as the losses don’t outweigh the cost of implementing more robust authentication methods, there’s no perceived benefit to change.
The good news is, research shows that when authentication modernization is tied to customer experience, these projects have a much higher chance of getting funded.
"If you bring new tools that improve the experience on behalf of your customers, then the line of business is likely to partner with you to move these initiatives forward," Mattei explains.
The Advanced Authentication Use Case: The Bottom Line
The threat of fraudsters gaining access to people's bank accounts is a reality. Banks and other financial institutions need to begin thinking about modernizing their authentication practices with an eye toward passwordless authentication empowered by orchestration hubs. This will enable them to authenticate without causing unnecessary friction and, in high-risk situations, apply friction-appropriate authentication.
Some security tools are better able to fight fraud than others. Companies that experience the most success over time are the ones that make the long-term investment to not only implement security tools, but to continue to improve their functionality as fraudsters continue to adapt. The tools should evolve with the changing security environment, as should the vendors that provide security tools and services. There’s no single tool that will solve all of a bank’s digital security needs, so instead of a micro-focus on prevention, it comes down to understanding customer needs and the user experience they want.
OneSpan can help you get there. Our Intelligent Adaptive Authentication solution makes it easy to completely do away with passwords in favor of strong customer authentication (SCA). To learn more about improving your authentication processes, we recommend these resources: