News & Commentary

11:01 AM
Bob Olson, Darren McGrath, and Terry Hartmann, Unisys
Bob Olson, Darren McGrath, and Terry Hartmann, Unisys

How Layered Security Improves Identity Confidence and Consumer Convenience

Multi-layered security will give banks the opportunity to achieve better authentication in the mobile channel without sacrificing customer convenience.

Customer confidence, that most prized of bank assets, is fragile, and easily damaged when headlines about security breaches litter the media landscape. But anxiety can abruptly end and turn into irritation if too many barriers in the service of security discourage customers and diminish usage.

When banks and their customers are asked about their online or mobile identity authentication preferences, increasingly they are answering “All of the above. As many options as possible.”

Clearly, user names and passwords are not sufficient to adequately secure the most sensitive online transactions. That’s why two-factor authentication point solutions are now used for transactions that need that extra layer of protection. These solutions have been effective in reducing online fraud but they are cumbersome for the customer and expensive for the provider. To the extent that they impede the growth of transaction revenue and discourage the provider from introducing new services and new channels, they come up short of the perfect answer.

The increasing use of smart phones and tablets to perform online transactions offers the banking industry a great opportunity to re-evaluate security and authentication systems. In particular this creates opportunity for turning to a “layered” security approach: multiple levels and options that balance identity confidence with ease-of-access and ease-of-use.

What is Layered Security?

While layered security is just now taking root in banking, it already has a solid pedigree in the security world. The point is not just to catch culprits in the attempt but also to create such a formidable defense that they are foiled in their efforts and deterred in the future. One method might combat a breach, but if it is bypassed or compromised, other methods can ensure that no data is vulnerable. Combining all these methods improves the odds for security and crushes the odds of those who would breach it. There are two other critical benefits of those layers: They facilitate access and convenience for travelers who do not pose threats. And they let security authorities concentrate resources on those who might.

In online banking, users, devices, applications, networks and data are vulnerable. When it comes to mobile security, bank authentication systems must continually answer two primary questions, over and over:

1. Is the user who he/she claims to be? 2. Is the user entitled to access the system/data or perform this specific transaction?

The primary challenge for financial institutions is to answer the first question confidently while balancing the customer experience for consumers using online and mobile channels. For example, users are likely to be frustrated if it takes 5-10 minutes for them to complete a series of challenge questions in order to determine adequate identity confidence. However, simple user name and password entry will not suffice.

What are these “layers”?

There is a vast array of new technologies and techniques available to check the authenticity of a user and increase identity confidence. The two most commonly used factors are “something you know” such as passwords or PINs and “something you have” (card, token, or device). Recently, we’ve seen increasing attention and investment in a third: “something you are” – referring to physical or behavioral biometrics such as face, fingerprint, voice, keystroke, and iris. All smartphones already have face and voice capture capabilities, and the new iPhone 5S now has an integrated fingerprint device for user authentication.

Beyond these three authentication factors, there are now other security layers available. One is analytics of usage behavior through GPS locations – i.e. “where you are”, along with activity date/time, and usage trends. These can be conducted passively in the background, so they can significantly enhance security without compromising the customer experience.

Financial institutions can take advantage of these technologies by implementing a flexible, enterprise multi-factor authentication approach during a time where customer confidence is more important than ever. This approach introduces new methods of authentication easily, provides intelligent authentication, which adapts the method of authentication based on the confidence level required, and is ideally suited for the new biometrics authentication methods. It also includes a standardized means of interfacing with the financial institution’s risk analysis methods so that parameters can be dynamically set on how transactions and user requests are managed.

Multi-factor authentication also has another customer benefit: The customer can be provided a profile option to decide how much security they wish to establish and for what purposes. Once the bank sets authentication levels to the bank’s satisfaction, there is nothing stopping them from offering customers the option of setting those levels higher – or from tweaking their profile within the bank’s broader parameters. It is not unusual for new customers to want higher levels until they become comfortable with the technology, or after a highly publicized intrusion.

Finally, it’s crucial to note that when regulators request financial institutions to disclose their types of security measures, you can be sure they won’t be content with user passwords, but will look favorably on multiple layers that flexibly employ the full range of available security tools.

Mr. Olson is Vice President, Global Financial Services, Mr. McGrath is Global Director of Mobility Solutions, and Mr. Hartmann is Vice President globally for Security Solutions & Industry Applications, for Unisys Corp.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
10/29/2013 | 6:58:17 PM
re: How Layered Security Improves Identity Confidence and Consumer Convenience
Marrying consumer convenience and expectation when it comes to mobile and ensuring adequate security is of course a sticky proposition, one most banks are still trying to figure out. I wonder if biometrics will become common in mobile security going forward, or if consumers will take to something else.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.