Caught within a shifting threat landscape, a tighter regulatory environment and a seismic shift in customers’ banking preferences – and their tolerance for security – financial institutions globally realize the digital authentication approach is dangerously flawed. The problem is: These same institutions fear inconveniencing their customers. It’s time for security and fraud leaders to accept that there are now too many legitimate banking credentials available to fraudsters, and any digital authentication system that relies on static usernames and passwords and knowledge-based question and answer (KBA) technologies/solutions is the equivalent of leaving the vault door open.
In a recent report, “The Future of Adaptive Authentication in the Financial Industry.” OneSpan explored the challenges in authentication practices and strategies, as well as the growing tension between improving security, reducing fraud and enhancing the digital customer experience among financial institutions. It’s clear from the survey responses that far too many institutions remain beholden to usernames and passwords for authentication—96 percent of organizations still rely on legacy processes tied to username and passwords for authentication.
Other key findings revealed 44 percent of respondents have too many disparate tools, which are challenging to coordinate security effectively. Additionally, 44 percent are challenged by the use of legitimate credentials exposed in data breaches and social engineering schemes in account takeover attempts.
The survey results revealed that more than 60 percent of respondents plan to invest in new multifactor authentication technologies in 2019, including those that rely on biometrics and AI/machine learning in an effort to overcome security issues face by financial institutions and their customers.
What are the biggest obstacles to improving authentication? There are two parts to it. One is the complexity of the technology and the solutions. Forty-four percent of financial institutions have too many disparate tools dedicated to multifactor authentication, which are challenging to coordinate effectively. Also, among financial institutions, there are too many different solutions that were never designed to work together, vendor approval and implementation takes a long time, and then getting it all to work together is also challenging.
The second part of adding new technology into a bank is the impact on the customer experience. The report reveals that nearly one-third of existing customers want a better customer experience as one of the biggest drivers to improve authentication and retain existing customers. Its long been believed – and often accepted – that banking customers will always choose convenience over security. Many customers value quick access to their accounts over any kind of security measure that will confirm their identity and momentarily delay that access. That may have been true before the massive data breaches at Yahoo and Equifax. But now, when even casual consumers know their identities and credentials are readily available in the Dark Web, smart customers don’t mind their institutions taking extra steps to authenticate identities and validate transactions. Every transaction requires the same level of risk-based analysis. And that’s the promise of the latest innovations in adaptive authentication – that it will provide the precise level of security to the transaction at the right time. At a time when security controls have matured, and when artificial intelligence and machine learning are fueling a new era of effective analytics, banking and security leaders no longer need to choose between customer convenience and security. They can get both.
You can accept a fair amount of fraud losses when you balance them against “what does it cost if you lose a customer if they have a bad experience?” If they can’t access their funds or complete transactions, you may lose that customer for life. So there is an understandable concern about how do we achieve both at the same time.
But look at the technology advances of the last few years, they’re mind-blowing. You can look at situations and say “This is an odd time for this person to do a transaction,” or “It’s an odd transaction.” The landscape for authentication has changed, and the number of data points have increased dramatically. The advancement in technology allow institutions to reduce false positives, identify fraud that they weren’t catching in real time and achieve those mutual goals. And that’s where authentication – the adaptive part of it – has really changed.
The good news is that as fast as the threat environment is moving, there are lots of great technologies coming to bear that can help with better authentication as long as we can figure out a way to help advise institutions to get them deployed in a timely manner.
About the Author:
Tim Bedard, Director of Security Product Marketing, OneSpan:
Tim Bedard is responsible for OneSpan’s Trusted Identity Platform security solutions for financial services. With more than twenty years of IT security experience, Tim has successfully launched multiple cloud-based security, compliance and identity and access management (IAM) offerings with responsibilities for strategic planning to go-to-market execution. Previously, he has held leadership positions in product strategy, product management and marketing at SailPoint Technologies, RSA Security and CA Technologies. Tim is active security evangelist at industry leading tradeshows and events.
