EagleBank Shares Best Practices from their Software Authentication Deployment
One-time passwords (OTP) are a secure and reliable means of authenticating users and transactions. Banks and other financial institutions (FIs) around the world rely on hardware authenticators to generate OTPs for customer login and transaction signing. But as customer expectations shift, financial services providers are adapting their authentication methods for mobile users. One of the ways they are doing this is by introducing software authentication.
Software authentication refers to an app-based OTP generator, offered as a standalone app or integrated into a bank’s native mobile app. This is a form of two-factor authentication (2FA) that uses a knowledge factor (something you know: the passcode) and possession factor (something you have: your phone).
In this article, we’ll share best practices from EagleBank, a mid-sized U.S. commercial bank, as well as other financial institutions that recently introduced a software authenticator app for their customers.
EagleBank: Hardware and Software Authentication
For 10 years, EagleBank has relied on OneSpan’s hardware authenticator tokens to secure client transactions and protect against account takeover fraud. Prior to introducing software authentication, when a commercial client performed a transaction such as a wire transfer or ACH initiation, they were required to submit a one-time password (OTP) generated on their Digipass® hardware authenticator token.
As commercial clients began transacting increasingly via mobile, however, the bank saw an increase in inquiries about software authentication and decided to make the transition. In April 2018, EagleBank launched their software authentication solution. They decided to introduce it to new customers first, and plan to transition their existing customer base over time.
In fact, existing clients who still rely on hardware authenticators can once their hardware reaches end of life. The bank plans to establish a quarterly reminder message for their existing customer base. The message will be used to raise awareness of the software authentication app and help interested customers make the switch. By following this approach, EagleBank continues to make the transition from hardware to software authentication as simple as possible.
The Software Authentication Solution
EagleBank decided to use OneSpan Mobile Authenticator Studio as their standalone software authentication app. Under EagleBank’s branding, the app was named the “EagleBank Soft Token App”, and featured the bank’s logo and brand colors. The ability to customize the branding was important because it helped users locate the app on the app store. In addition, the bank found that their users tend to have a higher level of trust when they recognize an app as an official, branded product.
By offering the software solution, EagleBank can enroll new customers in minutes and they can begin transacting immediately rather than wait four days for a hardware token to arrive in the mail. In the first nine months, 95 percent of new customers signed up to use the software authentication solution. [Not all users can adopt mobile authentication, for various reasons. Consider a financial comptroller who works in a secure facility where camera phones are not allowed. Such a client may be required to use hardware authenticators.]
To ensure an easy activation process for all, EagleBank took two important practical steps.
- EagleBank created a PDF document that provided a screen-by-screen walkthrough of the activation process to help show users exactly what to expect. This document is available to the customer in several locations. It is linked on the desktop screen where the user begins their activation, and it is also sent in a welcome email that provides some instruction on how to get started. This process met with a positive response. As noted by Barb McCann, VP Electronic Delivery Channel Manager at EagleBank:
“Customers have been very receptive. They like the fact that they can access and turn on their soft token right away.”
- The bank also assembled a temporary centralized customer care group to facilitate the rollout. Their responsibility was to field live customer service calls on technical support issues and be a subject matter expert.
Best Practices for Financial Institutions
Across the industry, financial institutions have made great strides in delivering secure authentication to their customers. Here are some best practices that have been shared with OneSpan:
- Use Appropriate Authentication Solutions for Each Use Case
Fewer banks today rely on user name and password for end-user access. A greater number have evolved to relatively stronger security technology, like SMS-based two factor authentication (2FA) and even stronger methods like app-based two factor authentication. Banks need to constantly analyze their specific fraud landscape and user experience requirements to apply the right security solution to meet their business goals. So even though SMS-based authentication isn’t considered ideal because attackers can steal mobile phone numbers via porting scams and potentially even intercept SMS messages, the level of effort for fraudsters is higher than simply hacking a user name and password. So some banks conclude that SMS authentication works for retail banking, but stronger security like app-based push authentication should be used for higher value corporate banking.
- Position Software Authenticators as Attractive Alternatives
One bank opted to present their software authenticator to commercial clients as an attractive alternative to hardware tokens. By focusing on the benefits of the solution, they encouraged their clients to adopt the software authenticator on their own. From there, the bank focused on making the process of switching or adopting as easy as possible.
- Support the Transition with Customer Communications
Another bank relied on its well-oiled communication team to facilitate the rollout. FAQs were provided to the helpdesk and short video snippets were produced for customers. Once deployed, the bank had over 100 customers using the integrated mobile authentication in the first month and received ample positive feedback. They expected a slow adoption process that would ramp up over time, but it turned out that their clients had been waiting for just such a solution. As soon as it was pushed live, the solution took off with their users.
- Identify and Prioritize the Right Customers
For years, this retail bank had provided customers with hardware tokens. However, innovation in the world of mobile security gave them new options, namely software authentication for online transactions. After surveying their customer base, this bank prioritized deployment to two groups of customers: those whose hardware tokens were about to expire and mobile app users. Rather than take a big bang approach, the bank chose to deploy gradually. The bank communicated the change to customers via email notifications, the website (a dedicated page with information, videos, and FAQs), and helpdesk.
The Hybrid Approach
As with most of our FI customers, EagleBank determined a hybrid strategy was the right approach. One of the benefits of relying on OneSpan is the ability to leverage a single vendor for both their hardware and software authentication needs. This allows the bank to meet all their clients’ preferences, for the highest levels of customer satisfaction.
“We had already been using OneSpan hardware tokens for 10 years. I wanted our software authentication to be a OneSpan solution, since OneSpan was the solution our customers were already familiar with – and we as a bank were familiar with,” says Glenn Johnson, SVP, Digital Channel Product Manager at EagleBank.
To learn more about EagleBank’s standalone authenticator app and the benefits to their users, read the full case study.