Customer confidence, that most prized of bank assets, is fragile, and easily damaged when headlines about security breaches litter the media landscape. But anxiety can abruptly end and turn into irritation if too many barriers in the service of security discourage customers and diminish usage.
When banks and their customers are asked about their online or mobile identity authentication preferences, increasingly they are answering “All of the above. As many options as possible.”
Clearly, user names and passwords are not sufficient to adequately secure the most sensitive online transactions. That’s why two-factor authentication point solutions are now used for transactions that need that extra layer of protection. These solutions have been effective in reducing online fraud but they are cumbersome for the customer and expensive for the provider. To the extent that they impede the growth of transaction revenue and discourage the provider from introducing new services and new channels, they come up short of the perfect answer.
The increasing use of smart phones and tablets to perform online transactions offers the banking industry a great opportunity to re-evaluate security and authentication systems. In particular this creates opportunity for turning to a “layered” security approach: multiple levels and options that balance identity confidence with ease-of-access and ease-of-use.
What is Layered Security?
While layered security is just now taking root in banking, it already has a solid pedigree in the security world. The point is not just to catch culprits in the attempt but also to create such a formidable defense that they are foiled in their efforts and deterred in the future. One method might combat a breach, but if it is bypassed or compromised, other methods can ensure that no data is vulnerable. Combining all these methods improves the odds for security and crushes the odds of those who would breach it. There are two other critical benefits of those layers: They facilitate access and convenience for travelers who do not pose threats. And they let security authorities concentrate resources on those who might.
In online banking, users, devices, applications, networks and data are vulnerable. When it comes to mobile security, bank authentication systems must continually answer two primary questions, over and over:
1. Is the user who he/she claims to be? 2. Is the user entitled to access the system/data or perform this specific transaction?
The primary challenge for financial institutions is to answer the first question confidently while balancing the customer experience for consumers using online and mobile channels. For example, users are likely to be frustrated if it takes 5-10 minutes for them to complete a series of challenge questions in order to determine adequate identity confidence. However, simple user name and password entry will not suffice.
What are these “layers”?
There is a vast array of new technologies and techniques available to check the authenticity of a user and increase identity confidence. The two most commonly used factors are “something you know” such as passwords or PINs and “something you have” (card, token, or device). Recently, we’ve seen increasing attention and investment in a third: “something you are” – referring to physical or behavioral biometrics such as face, fingerprint, voice, keystroke, and iris. All smartphones already have face and voice capture capabilities, and the new iPhone 5S now has an integrated fingerprint device for user authentication.
Beyond these three authentication factors, there are now other security layers available. One is analytics of usage behavior through GPS locations – i.e. “where you are”, along with activity date/time, and usage trends. These can be conducted passively in the background, so they can significantly enhance security without compromising the customer experience.
Financial institutions can take advantage of these technologies by implementing a flexible, enterprise multi-factor authentication approach during a time where customer confidence is more important than ever. This approach introduces new methods of authentication easily, provides intelligent authentication, which adapts the method of authentication based on the confidence level required, and is ideally suited for the new biometrics authentication methods. It also includes a standardized means of interfacing with the financial institution’s risk analysis methods so that parameters can be dynamically set on how transactions and user requests are managed.
Multi-factor authentication also has another customer benefit: The customer can be provided a profile option to decide how much security they wish to establish and for what purposes. Once the bank sets authentication levels to the bank’s satisfaction, there is nothing stopping them from offering customers the option of setting those levels higher – or from tweaking their profile within the bank’s broader parameters. It is not unusual for new customers to want higher levels until they become comfortable with the technology, or after a highly publicized intrusion.
Finally, it’s crucial to note that when regulators request financial institutions to disclose their types of security measures, you can be sure they won’t be content with user passwords, but will look favorably on multiple layers that flexibly employ the full range of available security tools.
Mr. Olson is Vice President, Global Financial Services, Mr. McGrath is Global Director of Mobility Solutions, and Mr. Hartmann is Vice President globally for Security Solutions & Industry Applications, for Unisys Corp.