What is authentication software?
Authentication software is a means of authenticating users through a software application or mobile app, instead of a hardware device. This can also be referred to as mobile authentication, soft token authentication, or phone-as-a-token authentication. Authentication software is used to validate your identity when you’re logging into your account, either on your desktop or mobile device, or when you’re doing a banking transaction. It relieves you of having to carry a hardware authenticator.
Authentication software can be used as part of a two-factor authentication solution (2FA) or multi-factor authentication (MFA) process. Most banks and other organizations require 2FA or MFA for login security, where two or more factors of authentication are combined for identity verification. This could be:
- Something you know, such as a one-time password or secret question
- Something you have, such as your mobile device
- Something you are, including a fingerprint or facial scan
Mobile Devices Pushing the Use of Authentication Software
The overall popularity of mobile apps is raising customers’ expectations for a simple, easy and adaptive authentication process on their mobile devices. A recent study by Juniper Research found that the total number of digital banking users will exceed 3.6 billion by 2024, up from 2.4 billion in 2020. Authentication software can happen through your bank’s mobile app or through a separate, standalone mobile authenticator app downloaded from an official app store. Your mobile phone can also be used to authenticate your login because it’s something you have that can be combined with another means of authentication, such as your fingerprint or facial scan, or a one-time PIN generated by an authenticator app on your mobile device to achieve 2FA. The result is a seamless experience for you, the customer, relieving you of password management. Using your mobile phone removes the inconvenience of having to carry around a hard token, such as a smart card, to do the same thing.
Additionally, some developers choose to build their own MFA software, but a number are embedding existing MFA software solutions in their apps using application program interfaces (APIs) that allow developer’s software to integrate with the MFA software.
CASE STUDY
Eaglebank Launches Software Authentication For New Customers
EagleBank faced two key challenges in their software authentication deployment: determining the right launch strategy and forming a policy for their existing customers. Learn how they overcame them in this case study.
Read More
Mobile authentication methods
There are a number of different mobile authentication software technologies that can be easily and quickly used on your mobile device to provide secure access.
For example, you can install a standalone authentication app on your phone where you’re prompted to tap on a button and a one-time passcode (OTP) is generated, which can be used in a two-factor authentication process. This OTP can also be delivered by SMS to accomplish secure authentication. Or, you can also log into the mobile banking app by using your fingerprint or face, if the app and your device support this.
Biometric authentication, a fingerprint or facial scan, can be used to access your mobile banking app. Your fingerprint unlocks an OTP that authenticates you behind the scenes. Apple (iOS)Touch ID or Face ID are device-native for biometric authentication. The Android framework also includes face and fingerprint biometric authentication. However, biometric authentication systems that don’t depend on specialized hardware within the device would be considered third-party and allow banks and financial institutions to serve a larger population of their customers with biometrics.
Additionally, you can receive a push notification before you’re allowed to log in. Push notification (considered passwordless authentication) allows user authentication by sending a brief message directly to a secure application on the person’s device, alerting them that an authentication attempt is taking place.
For authenticating a transaction, the process is different. A Cronto code can be used to authenticate or authorize a financial transaction. In this case, you’ll see a graphical cryptogram that resembles a QR code, displayed in a web browser. Only your registered device can read the Cronto code, which makes it very secure. When you want to perform a transaction, you enter the payment data into the online banking application in the browser. You’ll then see the QR-like code and scan it using the camera on your mobile device. Your device will decode it, decrypt the payment data, and show it to you on your mobile in plain text. This approach meets the dynamic linking requirements outlined in the European Union’s Revised Payment Services Directive (PSD2) Regulatory Technical Standard.
Best practices for introducing authentication software
One size doesn’t fit all with authentication. Since authentication software comes in different forms as mentioned above, make sure to meet your end users' needs by supporting multiple software authentication options. Soft tokens can be presented to customers as an easy and attractive alternative to hardware tokens.
There are two scenarios to consider. First, financial institutions can enroll new customers for multiple authentication methods during new customer onboarding, which is the process of enrolling a customer when they open an account with a bank or other financial institution. Once the customer’s laptops and phones are registered with the bank as secure and trusted devices, the bank must enroll the customer for authentication. This can take many forms, such as biometrics, a PIN, or a hardware token. The customer will need to be setup for authentication so that they can authenticate each time they access their account as part of the user experience. Many banks also use authentication so that customers can authorize their financial transactions, such as funds transfers and payments.
Second, for financial institutions that already have customers using hardware authenticators, many recommend introducing authentication software by taking a phased approach. Financial institutions should plan for the use of both soft and hard tokens for a period of time. Certain customers will want both with the hardware token as a backup; even though they prefer mobile authentication, and some will still need access to hardware authenticators. Many FIs start by surveying customers to identify groups of users, such as mobile-first customers, who are ready to replace their hardware authenticator by software authentication. Taking a phased approach according to customer readiness can raise satisfaction among digital-native and mobile-first customers, while giving the organization more time to educate their other users.
Finally, when looking at how to offer software authentication to employees, a financial institution or other organization will have different requirements and considerations for corporate networks and phones. That could include provisioning employees with authentication apps on their phones, authenticating employees through single sign-on (SSO), securing access to internal systems and portals through a virtual private network (VPN), or other strategies for identity and access management.
How authentication service software enhances security
Authentication software provides strong protection for online and mobile banking customers. It links an authorized user to their registered devices to help prevent fraud. If a customer loses their smartphone, they usually know almost right away. If they use authentication software, this gives the customer and the bank the ability to shut down the device quickly to help prevent fraudulent activity rather than searching for a lost hardware token. Relying on just usernames and passwords is no longer considered safe to keep user identities secure due to the regular occurrence of data breaches and hackers trying to take over accounts.
In addition to standard multi-factor authentication functionality, many companies are moving toward enterprise grade risk-based authentication software (RBA). Authentication software can also be used as part of a risk-based authentication approach. Risk-based authentication is where the fraud prevention system’s risk engine adapts the authentication challenge to the risk level of a transaction. Authentication software also helps prevent phishing attacks, which use emotional appeals in emails or texts, to convince customers to click on malicious attachments or links. QR-like codes, which can be read by an imaging device an imaging device, as described above, help prevent Man-in-the-Middle attacks because all of the encrypted transaction details are communicated only between the bank and customer, lowering the risk of interception or tampering by hackers. In addition, software tokens allow for the use of biometrics, such as a fingerprint or facial scan, because they establish the presence of the customer, adding another layer of security.
How authentication software provides a better customer experience
Authentication software provides a better customer experience because customers no longer need to carry hardware tokens to keep track of passwords and PINs, reducing unnecessary friction for them. Soft tokens are simple, user friendly and are expected to grow in use due to smartphone adoption. They can increase customer loyalty and growth because of their easy, yet secure experience in providing strong authentication. Soft tokens provide a range of different but easy solutions with their one-time passcodes, biometrics, and other authenticators when customers are logging or want to do financial transactions.