What is Authentication as a Service (AaaS)?
Authentication as a service provides authentication capabilities in the cloud so financial institutions can securely verify their customers using multi-factor authentication (MFA). Financial institutions are moving to cloud computing, relying less on the need to maintain, upgrade and replace their on-premises authentication equipment and technology. Today, the ongoing digital evolution has been accelerated by the COVID-19 pandemic and customers now expect more digital experiences with their bank. Authentication as a service allows financial institutions to remove repair and replacement costs for network infrastructure and mitigate fraud. They can also scale up or scale down to meet customer demand. Authentication as a service strengthens and streamlines authentication across applications and channels, supports a mix of hardware and software authentication methods, and can be upgraded to support more comprehensive authentication solutions such as adaptive authentication or risk-based authentication.
Authentication as a Service: Multi-factor Authentication Methods
Authentication as a service uses multi-factor authentication (MFA) for login security, where two or more factors of authentication are combined for identity verification. This could be:
- Something you know, such as a one-time passcode (OTP) or the answer to a secret question
- Something you have, such as your mobile device
- Something you are, such as a fingerprint or facial scan
To achieve multi-factor authentication, at least two different technologies from at least two different technology groups must be used in the authentication process. As a result, using a PIN coupled with a password would not be considered MFA, while using a PIN with facial recognition as a second factor would be. It is also acceptable to use more than two forms of authentication. However, most people increasingly want frictionless authentication (the ability to be verified without the need to perform excessive security steps).
Authentication as a service also supports the latest technologies such as open standards like FIDO, biometrics (including face recognition and fingerprint scans), out of band authentication, like Cronto, QR-like codes, and next generation hardware.
Advantages of using Authentication as a Service
In the last decade, there has been a growing adoption of cloud and hybrid cloud deployments for IT services and applications. The COVID-19 pandemic accelerated digital transformation and modernization initiatives at banks. The pandemic has also accelerated the digital behavior of customers. People now expect more digital interactions with their financial institutions and they expect them to be seamless. These initiatives are difficult to support with on-premises infrastructure, especially during the pandemic. This is a contributing reason to the interest in cloud-based solutions.
An Aite Group report, The Rise of Digital-First Banking, looks at how consumers will become digital-first regardless of generation and whether financial institutions are ready or not, now that the coronavirus pandemic has changed the way consumers interact in every area of their lives. “The COVID-19 crisis is pushing the digital adoption and usage trajectory to full steam ahead,” states Tiffani Montez, senior analyst at Aite Group. “Digital-first banking is the new norm, and now more than ever, it is important for FIs to build a new digital experience and optimize existing digital processes to reduce friction.”
Here are the advantages of authentication as a service:
- No need to house equipment on-premises: With authentication as a service, financial institutions can reduce operating expenses for IT departments.
- No extra IT staff: IT equipment requires maintenance and replacement. With authentication as a service, a third-party service provider is typically responsible for maintaining the equipment on which an application is hosted. For example, highly skilled staff, such as infrastructure engineers, can be re-assigned to other IT projects instead of spending their time on maintenance work. Since authentication as a service is passwordless, it removes password resets for busy IT teams.
- Lowers operating costs, increases operational efficiencies: Authentication as a service allows financial institutions to reduce the ongoing replacement costs of server equipment, network infrastructure, network maintenance, hosting, and security procedures. This results in operating costs that are lower than on-premises deployments and more consistent, increasing operational efficiency while providing secure access.
- Ability to scale: Authentication as a service provides banks with the ability to scale up or down as necessary to meet the current demand. This makes pricing less complicated and less costly to purchase more cloud service capacity than it would be to deploy new server equipment on-premises.
- Quick and easy deployment: Authentication as a service can be deployed in a matter of weeks without the need to purchase, provision, and deploy any IT infrastructure. Conversely, on-premises deployments can take months or even up to a year, depending on budget, and other factors.
- Flexible authentication options: Authentication as a service supports hybrid software and hardware authentication technologies, continuous monitoring, device and multi-user channel profiling. It can be seamlessly upgraded to more comprehensive solutions, such as risk-based authentication that uses machine learning and a risk engine to help reduce fraud.
Three case studies of organizations using Authentication as a Service
Case study #1: Japanese bank moves to cloud-based authentication
The Challenge: This Japanese bank released its mobile banking application in November 2019. Initially, the app’s functionality was limited and only allowed users to check their balance. Also, the legacy authentication process used in the online channel did not provide a satisfactory mobile experience. Customers would receive a one-time password (OTP) through email and input the password in the web portal. This experience did not translate well to mobile. The bank decided to implement cloud-based authentication and transaction data signing to securely enable money transfers through the app. The timeline for this project was very tight because the bank needed to release the updated version of the app three months after the beginning of the project. Typically, integrating a new authentication solution into an existing app and deploying an on-premises authentication server to support it could take upwards of a year to complete. Instead, the bank decided to move to an authentication server hosted in the cloud.
The Result: Now customers can authenticate by receiving their OTP in-app, or use fingerprint biometrics. The result is a reliable, secure, and convenient customer experience while expanding the mobile banking app’s functionality.
Case Study #2: FinTech delivers cloud authentication to all norwegian banks
The Challenge: In this use case, a Norwegian fintech organization offers Norwegian banks a secure and cost-effective authentication solution for identification and electronic signatures. To authenticate, users were required to use hardware authenticators, which provided the necessary security for the end user. However, customer feedback showed a desire for a software authentication solution that allowed them to use their mobile devices. The organization decided to launch a new mobile app to authenticate users to improve the customer experience and to implement biometrics. The organization is partially owned by all banks in Norway and they all make use of this service. As a result, the organization could not consider an on-premises authentication solution because this would require each Norwegian bank to deploy a new authentication server on-premises.
The Result: By using cloud-based authentication, banks could easily adopt the authentication app for user authentication. With the app deployed, users gained access to multi-factor authentication (MFA) with fingerprint biometrics and push notifications. The new experience proved to be significantly more convenient for customers and those who downloaded the authentication app could safely retire their hardware authenticators.
Case Study #3: Healthcare organization introduces cloud authentication to reduce costs
The Challenge: This healthcare software development company recently modernized their security strategy by moving to authentication as a service. The company sells an Electronic Prescription of Controlled Substances (EPCS) solution that helps doctors and healthcare professionals connect their patients with the regulated medications they need. Due to the sensitive data involved, both the privacy concerns of medical information and the potential of misuse of the medication, authentication and user identity are extremely important components of the solution.
The Result: The company migrated from an on-premises implementation to a cloud-based authentication service provider to avoid the costs associated with purchasing, supporting, and maintaining the servers to enable authentication. The company also wanted to integrate an authentication process into their existing product with a solution that makes it easy to deploy, evaluate, and verify compliance with all regulations.
How Authentication as a Service helps mitigate fraud
Financial institutions can help protect their customers against fraud threats with cloud-based MFA on a proven and reliable security infrastructure. So far in 2020, there have been prominent data breaches at Twitter, Zoom and Marriott, which suffered their second breach in as many years[JM2] . With so many people still using the same static passwords as the only means of authentication across multiple accounts, any data breach of passwords and email addresses can have serious consequences for consumers.
As a result of the COVID-19 pandemic, cybercriminals have increased their efforts with the number of phishing websites increasing by 350% since the start of the year, and £16.6 million ($20.8 million US) lost in shopping fraud losses since the beginning of lockdown. Phishing remains the preferred
method for attackers when it comes to stealing credentials, according to Verizon’s 2020 Data Breach Investigations Report. Additionally, with more than 15 billion credentials circulating on the Dark Web, cybercriminals have everything they need to commit account takeover attacks and other forms of fraud.
The ongoing digital evolution also has led to the rise of mobile, expanded digital channels, and an increase in the number of applications and products. This has often resulted in a siloed approach to authentication security, putting the burden on IT staff to manage different solutions. Authentication as a service provides centralized security and ensures that banks can keep customers protected against fraud attacks, particularly social engineering and phishing attacks.
How Authentication as a Service improves customer experience
Considering the menacing threat landscape, authentication as a service (AaaS) helps banks maintain security for user authentication, increasing the trust of their digital banking customers. Customers can be authenticated with user-friendly mobile authentication options, such as biometrics and in-app push notification for a frictionless user experience. As customers adopt increasingly digital behavior, they get secure authentication via the cloud.
How it meets regulatory compliance
Authentication as a service is designed to meet PSD2’s Strong Customer Authentication (SCA) requirements for secure online payments. It does this through multi-factor authentication, dynamic linking (to counter Man-in-the-Middle attacks), mobile security, and biometric technology. SCA requirements help limit fraud and enhance the security of online payments because customers are required to be authenticated by two out of three elements in authentication:
- Something the customer knows (e.g., PIN, password, security question)
- Something the customer has (e.g., a device)
- Something the customer is (e.g., biometric data such as fingerprints or facial recognition)
Dynamic linking also helps financial institutions achieve compliance because at the time of the transaction, the value of the transaction and the identity of the recipient must be displayed and there must be at least two elements of possession used. These possession elements must dynamically link the transaction to an amount and a payee specified by the payer, when initiating and verifying the transaction.
Authentication as a service uses cloud-based multi-factor authentication to provide security, strict regulatory compliance and a seamless customer experience that helps drive growth. Authentication as a Service is a modern way to approach identity and access management that leverages cloud computing resources and also provides a better user experience and user management. It delivers immediate efficiencies for banks with a solution that can be rapidly deployed. Authentication as a Service also supports quick deployment since most AaaS providers have plugins and APIs (RESTful Services, etc.) to allow for easy integration into enterprise applications.
AaaS adds extra layers of security by not only providing strong authentication, but access control policies. Confidentiality in the cloud is achieved by applying different algorithms along with encryption and decryption procedures, hashing, digital signatures, certificates as well as key exchange management. Cloud-based MFA also supports customers’ increasingly digital behavior. By moving away from on-premises infrastructure to a service provider in the cloud, financial institutions and other organizations lay the groundwork for customization and more comprehensive authentication solutions, such as risk-based authentication or adaptive authentication.