Passwordless Authentication: How Financial Institutions Can Solve the Password Problem
Passwords are still a big problem for the financial services industry. To review the scope of the problem and what financial institutions should do about it, we spoke with Julie Conroy, Head of Risk Insights at analyst firm Aite-Novarica, during a recent webinar.
For banking leaders interested in modernizing the authentication experience for their customers, our webinar presentation is a good start. In it, we talk about the fact that because passwords are so easy to use, many institutions are reluctant to stop using them. The good news is, there is a better way. Modernizing your authentication stack with passwordless authentication provides an easier and more secure digital banking experience.
We also talk about what’s at stake for institutions that don’t upgrade to passwordless authentication. For starters, it’s easy for criminals, hackers, or other bad actors to compromise passwords through brute force, credential stuffing, dictionary attacks, and phishing or social engineering. Worse, managing passwords as an authentication factor has become a universally frustrating experience for customers. Between password resets and password reuse, people are looking for a better user experience. In fact, Aite-Novarica research shows that 97% of consumers say a smooth, easy experience is important when choosing a financial service provider. Despite this, many banks still rely on the username/password combination to secure access to their products and services.
What’s notable is tech firms have been leading the charge by modernizing with passwordless authentication methods such as facial recognition and other biometrics that strengthen security and deliver an easier customer experience. Firms like Microsoft, Google, and Apple are ahead of financial institutions when it comes to security standards. These corporations are dedicated to providing a superior customer experience by going passwordless.
If you want to hear what your bank or financial institution can do to catch up, watch our presentation with Julie Conroy, Why Forgetting Your Password is Safer than Having One, or get the 5-minute summary here.
The Problem with Passwords and Password Management
It is no secret that passwords are no longer a valid security mechanism for banks. The challenge is, no matter the demographic, consumers all over the world tend to use the same username and password combination across websites, even as account takeover attacks become more prevalent. While there are many tactics criminals use to takeover an account, using passwords puts banking customers at much higher risk of social engineering attacks like phishing that lead to account takeover. The data is clear: According to Statistica, banks are among the top 3 most targeted organizations for phishing attacks. Another report showed a 300% increase in phishing attacks targeting bank customers.1
In the US, I recently read about news columnist and professional organizer, Marla Ottenstein, and her firsthand experience with account takeover. As she explains, it is a devastating experience:
“It’s called ‘account takeover,’ and TAKE OVER is exactly what they did. By hijacking my mobile phone and email accounts, the crooks were able to circumvent numerous email and text alerts, which were being sent to me by my bank and credit-card company, as well as by the mobile and cable companies, as the criminals systematically drained my checking account and ran up thousands of dollars worth of fraudulent charges on my credit card.”
The threat is real. Widely available phishing kits for sale on the dark web make it quick, easy, and cheap to host phishing sites to launch attacks. In fact, the dark web economy is growing with places like the Genesis Marketplace that not only sell usernames and passwords, but also the fingerprints that go along with the device. Having this type of information makes it possible for a bot to bypass most online access management security measures and successfully access and drain a victim’s bank account.
Mobile Banking: The Entry Point for Passwordless Authentication
A growing number of banks are considering passwordless authentication solutions for their mobile users. A 2021 Aite-Novarica survey showed that 68% of US consumers use their smartphone to login to their bank account at least once a week. Similarly, in November 2021, Forrester Research’s Oliwia Berdak confirmed “Forrester data shows that some 40% of French, 54% of Italian, and 54% of UK online adults have done their banking on a smartphone — via either the bank’s mobile website or app — in the past month.”
Usernames and passwords tend to be too clunky for use on smaller devices like a smartphone. There are better alternatives that pair multi-factor authentication (MFA) with a user-friendly experience and are more resistant to fraud attacks.
Here are a few of the most popular methods:
- Push notifications: This method provides an authentication code through a notification that pops up on the lock screen of a customer’s mobile device. Push notifications have proven to be much more secure than sending an OTP through SMS. Another option is to use a QR code that is sent via push then scanned by a trusted mobile device and used to authenticate.
- Biometrics: Face and fingerprint scans are popular among consumers. Many are already using their device’s biometric authentication, via TouchID and FaceID, for example.
- FIDO: FIDO is an organization with the clear-cut mission of getting rid of passwords. Their device-resident authenticators eliminate the need for passwords and serve as the underpinning for many passwordless authentication solutions. Read our blog on FIDO2 authentication and the passwordless web.
Top Use Case: Passwordless Login to Online or Mobile Banking
Mobile has been the predominant way for consumers to bank for some years, especially since the beginning of the pandemic. At the same time, fraudsters are following suit and moving their criminal activity to the mobile channel. This has made it more important for banks to analyze the health and integrity of each consumer’s mobile device during the mobile banking login process and during transactions. Doing so can decrease the success rate of fraud attacks and consequently, the risk of theft of customers’ money.
It’s imperative to put together a fraud prevention strategy that includes determining the health of the customer’s mobile device. To do this properly, financial institutions would need to gather information such as the device ID, geolocation, operating system, and other data points. A fraud prevention system built on risk-based authentication can then take these data points and make instantaneous decisions that protect the consumer’s financial transactions.
What would a red flag in this kind of system look like? It can be something as simple as checking to see if the customer’s phone has been compromised by malware. A risk-based authentication system can then simplify the user experience because if there is no malware on the device, or if the client is doing a low-risk transaction, there won’t be a need to pass an authentication challenge.
As the banking industry moves into passwordless authentication, there are opportunities to educate customers in order to avoid misconceptions. One common misconception is: if username and password fields are not visible, then there must be something wrong. Increasingly, security has become invisible to the customer – as is the case with risk-based authentication.
For example, in the case of an existing customer, a relationship of trust has already been established. The bank knows the customer’s trusted device and has a history of the customer’s typical activity and behavior. Each time that customer interacts with the bank, the bank can use technology such as fraud prevention rules and machine learning to assign a risk score to each action the customer takes during their online banking session. This score is used to determine whether to challenge the customer with a new authentication request, or not. In the case of a high-value or higher risk transaction, the customer might be asked to confirm their identity or authorize a transaction by authenticating with a fingerprint scan. However, if the customer logs in at the usual time, from the usual geolocation, using the same authentication method, and does so on their trusted device, this together provides a high degree of assurance that it is in fact the legitimate customer. A risk-based authentication system would create a risk score based on parameters such as these and allow the customer to authenticate without a password.
Use Case #2: Authorizing Financial Transactions Using FIDO
Consider a customer paying a bill on their phone through their mobile banking app. Before processing the transaction, the bank asks the customer to confirm that the amount and the payee are accurate. In this instance, the bank uses biometrics to confirm the customer’s identity.
Banks should look for FIDO capabilities from their authentication provider. This allows you to leverage open standards and implement passwordless authentication to enhance the customer experience with modern biometric technologies.
An additional layer of security on top of this is called secure channel. A secure channel can be paired with FIDO to provide end-to-end encryption for the entire financial transaction. FIDO has been proven to be a quick and easy tool that allows the customer to own the authentication themselves. So when they’re authenticating to any number of different applications, they’re using their own authenticator to do that.
FIDO-certified authentication methods are supported out-of-the box as they come to market. Any application can work with any device and any authenticator because of the open standard being used. This gives organizations lots of options on how they want to approach customer authentication.
It’s worth noting that FIDO is not typically issued by a bank. Banks don't need to go out and mail authenticator tokens to their customers, or ask them to download a FIDO application. It is already part of an Android or iOS operating system or a Microsoft environment. The FIDO communication interacts with a number of components that are already there and most notably the biometric components.
In our presentation, we did a FIDO demo that shows a user creating a transaction. They're asked to authenticate the transaction and they're shown the transaction data. The customer verifies and confirms that all the data is accurate. Next, the customer is prompted to use their biometrics to confirm and encrypt the transaction, and send it back to the bank. This way the bank knows that no fraudster has intercepted and changed the transaction en route. Everything is legitimate and the bank can proceed.
FIDO has proven to be a great passwordless authentication tool in this case, because all the customer needs to do is a simple face scan.
Use Case #3: Bank Wire Transfer with QR or Push Notification
The benefits as far as ease of use become quite clear when using a QR-like code for this use case. The transaction is initiated by the bank and can’t be initiated or intercepted by a fraudster – especially one trying to infiltrate a bank account through phishing and social engineering.
Receiving a push notification is quite easy for the customer because they are used to opening push notifications from other apps. And because it’s coming through a secure channel, it’s much safer than SMS. The other important thing to point out here is that push notifications are an encrypted message, unlike SMS. For an attacker, push notifications are much harder to crack than SMS-OTP.
Look for a passwordless authentication solution that supports a broad range of hardware and software technologies (i.e., biometric authentication, push notifications, Cronto, and FIDO). This gives you flexibility in meeting customers’ needs and preferences, across use cases.
It’s clear to see that the password has long since outlived its ability to provide any form of digital channel security and presents security vulnerabilities. The future belongs to passwordless authentication solutions. Watch the full webinar for details.