Future of Authentication in Banking
July 5, 2016 - How do you define a winning authentication strategy?
The way we pay and do banking is changing with new technologies and the increasing authentication possibilities. Banks should choose a strategy to be ready for authentication. Because the whole industry sees opportunities in this space, there is also an explosion of new technologies, tools and start-ups, with new products and services being created every day.
The ideal goal of every payment implementation is to set the right balance between security and convenience. An essential ingredient in the commerce value orchestration, is the ability to authenticate consumers and the payment instrument he or she provides during a transaction. Therefore, there’s an ongoing race to excel in the ability of authenticating customers, by deploying state-of-art solutions to enable this.
To realize different authentication concepts, a mindset change is needed for traditional banks. In a fast-changing world, the architecture of banks will need to become more open and flexible.
Let’s look over the basics.
So, what is authentication? Authentication is the process of determining if an entity is, in fact, who he/she/it claims to be. In the banking industry the concept is widely used. Nowadays, solutions to the authentication need are becoming more and more innovative. Banks have to prepare their authentication strategy for the near-future, where both sufficient authentication and a seamless user experience will be ensured.
Why do we authenticate?
We are so used to authentication at some point in our daily lives, that it may seem unnecessary to discuss why authentication is so important. Do you use a password to access you mobile phone? Do you need a key to access your home? Are you asked for a password when accessing internet banking? The answer is usually yes. The level of impact if we didn’t authenticate would be substantial; authentication methods are usually applied accordingly to the risk associated with an unauthorized access.
Why and where Banks authenticate
As banking has moved from the physical to the online world, the authentication methods also need to be compatible with the online environment. Users need to be authenticated prior to accessing online banking services. To do this, banks still rely on username-password combinations, applying additional authentication methods during the journey as his or hers actions become more critical.
Usually referred to as “card present” transactions, these transactions allows banks to authenticate both card and cardholder, respectively through the usage of Offline Data Authentication mechanisms and dynamic cryptograms, and cardholder verification methods. Through a proper validation of the authentication results for both card and consumer, banks can securely proceed with transaction authorization.
These are often referred to as Card Not Present (CNP) transactions, where end users provide proof that they are the rightful owner. With online payments, the balance between secure authentication and providing a simple user experience is more delicate due to competing technologies already present in the market. Traditionally, the end user only needs to provide the (credit) card number together with a (static) three or four digit card cryptogram, sometimes enhanced with the cardholder name and registered address of the issuing bank. Since this static data can be copied, this process has been amended and CNP transactions are often enriched with 3D Secure Verification as an additional step, which is provided by the main payment schemes. EMVCo is also now responsible to include recent innovations and develop the 3D Secure 2.0 specification, with the objective of improving the security when using smartphones for online transactions for example in-app, Android Pay, Apple Pay.
Driving for authentication ecosystem evolution - Why is there a change in field of banking authentication? Here are two of the main drivers:
As customers are becoming increasingly educated with regards to mobile payments, they start to share their trust with new actors in the ecosystem. Browsing the internet with a smartphone is quickly becoming ‘the new normal’; the caveat in this scenario is that end users will not necessarily care about the technology used to pay or to authenticate to a banking application, as long as the process is easy, fast, results are successful and is (perceived to be) secure. Many will not see the difference between a complicated mobile payment/banking app and the simplest game app and will expect the same reliability, convenience and speed.
In such a dynamic environment, governmental bodies are stepping in to make sure the game is fair to everybody. In Europe, the EU Directive on Payment Services PSD2 was recently passed by the European Parliament. This directive eases the path for non-traditional actors to provide access to the (bank) account of consumers. New rules have been designed to allow access to payment account information via third parties. At the same time, the strength of end user authentication performed by these third parties needs to be guaranteed.
In some other countries this is not done by formal regulation, but we see a self-regulating market. E.g. in Australia, the Australian Banker’s Association (ABA) has developed guidelines for electronic banking, security and authentication practices to be chosen. This is impacted by the 2014 Customer due diligence law, which mandates all reporting entities to identify and verify each of their customers, for broader risk considerations.
Evolution in the authentication approach
User experience and security are often on opposite ends of the scale. As the offer of new online services increases, consumers are forced to remember a larger number of username/password combinations and to have several OTP generators on their keychain, depending on the authentication method requested by the service.
In that sense, the traditional mindset of requesting strong authentication for all steps or actions taken by an end user during his journey in an online service is not scalable for two main reasons: Firstly, in order to remember the passwords for all his services - just think how many we’re required to memorize - PIN’s, usernames, passwords, telephone numbers, the list goes on! Average users may write down these passwords somewhere, or reuse the same password for multiple services. Secondly is the fact that consumers are getting every day more mobile which creates the need to have information accessible with the smallest number of clicks/taps as possible. Therefore, requesting strong authentication to have access to basic information is harmful to the user experience.
Risk based authentication:
An increasingly used concept is risk based authentication. Knowing that different operations have different risks and that user experience is a critical factor for success for the new generation of online consumers, banks and other online service providers should realize that a much better user experience can be achieved if focus is not only given to “how” end users are authenticated, but also “when” they are authenticated with a certain level of assurance.
Although risk based authentication is presented as a very promising alternative to the traditional mechanisms, its results do not guarantee authentication accurately, as it is mostly based on probabilistic frameworks such as behavioral biometrics or device characteristics. Therefore, it is essential to assign the correct level of assurance to the authentication method. Using money transfer as an example, the level of assurance provided by risk based authentication can be assessed as sufficient, to enable end users to transfer money up to a certain amount. While above this threshold, end users will be requested to step-up their authentication level by using a stronger authentication method.
Technologies and strategies being applied in banking authentication
- Biometrics – widely used on mobile devices, this combination became popular especially with the introduction of Apple Pay, Samsung Pay and Android Pay. Biometrics comes into play during a payment where e.g. the fingerprint is used as the Cardholder Verification Method (CVM), which is allowed by the payment schemes, since they are not prescriptive that the CVM must be a pin. Other example of biometric authentication is voice or facial recognition.
- Geo-location – conventionally used by financial institutes and card schemes to support authorization of in-store card payments, geo-location is used to determine whether the transaction was initiated from the domestic county (or region) of the issuing bank or from a different region.
- Out of band authentication – authentication of an end user does not have to be limited to one channel, network or device. A combination could be used to establish the authenticity of the entity; this process is known as out of band or 2nd channel authentication, useful in preventing several forms of hacking and fraud because fraudsters typically only hack into one of the channels.
- Risk based authentication - a natural evolution from risk based fraud, this strategy can be used to enable a seamless authentication experience for the end user. Typically, the specific devices, logon habitats, geo-location and personal information such as email addresses, phone numbers and accounts of the end user are profiled. With this information, anomalies can be detected and a level of risk can be established to make an informed decision to allow, reject of prompt for additional authentication with a particular Level of Assurance.
- Federated authentication – federated authentication aims to offer consumers a more seamless experience across multiple online domains, organizations and parties. A seamless experience could be offered to consumers by a Single Sign-On (SSO) where an end user authenticates to a federated identity provider and receives an authentication token which is valid across multiple domains related to the same federated identity provider.
- FIDO alliance – (fast identity online) strives to unify the approach towards authentication by developing open, scalable and interoperable technical specifications, while reducing the need for usernames and passwords. For more information, please refer to the UL whitepaper FIDO authentication implementation.
Creating a winning authentication strategy
The authentication possibilities are increasing continuously and it is important that banks choose a strategy which is future-proof.
We have identified three concepts, which you, as a bank, need to consider when determining your authentication strategy and ensure you’re ready for the future:
- Step-up authentication
- Risk based authentication
- Federated authentication
Click here to read all about these concepts in our recent whitepaper on Authentication.
To realize each of the three concepts and in conclusion, the following mindset and architecture changes need to be accomplished; with this, we assure you that you have the winning formula:
- Disentangle authentication from processes
- Assign different Levels of Assurance to your authentication methods
- Ensure your architecture is flexible by making it modular
- No matter what you do put the user experience high on the requirement list
- Keep informed on the latest authentication methods