I decided to review this blog in Finextra that discusses the upcoming dependence of mobile for authentication in three parts, The Problem Setup, The Recommended Cure, and Mercator Quick Analysis. However I’ll telegraph my conclusion, more authenticators need to use the biometrics already available on many mobile devices or consumer adoption will suffer.
The Setup:
“The understanding within the sector of the need for better authentication practices is growing. We can see this reflected in the latest regulations pertaining to fintech and IAM. The Payment Card Industry Data Security Standard (PCI DSS) now requires MFA around applications and infrastructure supporting and processing payment card data. Similarly, new mandates from theNew York Department of Financial Services (NYDFS) require certain covered enterprises to move beyond legacy authentication solutions and implement robust authentication protocols that support MFA and a federated architecture.
The latest milestone in this trend of evolving IAM standards was the release of a report by the National Institute of Standards and Technology (NIST) on Digital Identity Guidelines. NIST’s Special Publication 800-63 wipes away most old password rules and places the burden of securing access in the hands of identity protection technology. For all federal agencies and government suppliers, NIST standards mandate the use of Multi-Factor Authentication (MFA) for privileged access and remote access to the network
In an effort to address today’s risks nearly all standards have recognized that we can no longer secure access to networks with single-factor authentication like simple passwords. ”
The general gist here is 100% accurate – passwords have become useless as a form of protecting an account of any significant value. That said, while I wish more businesses would pay attention to NIST, very few actually do. Government agencies will mandate NIST compliance and this will certainly require authentication solution suppliers to pay attention, those suppliers will also need to align with other approaches.
The Recommended Cure
“What the financial industry needs is a model that can transcend the user experience-security schism, a solution that can offer both seamless access and strong security.
The little known secret is that nearly all employees of financial institutions as well as their clients, already own at least one powerful cryptographic device.
You guessed it: their smartphones.
Personal phones can be leveraged into creating a robust and easy to use, password-less authentication system for nearly any financial institutions. Known as “Bring Your Own Device” or BYOD, the system circumvents all of the security and logistical challenges associated with traditional authentication models. All of this leaves enterprise networks safer–and with substantially lower operating costs.
The benefits of integrating the BYOD scheme into networks are essentially three fold:
Better user experience – no one needs to be taught how to use their smartphones. Password-less solutions such as push notifications and similar applications can be streamlined into large scale use with relative ease and speed.
Minimizing costs – BYOD means users are already equipped with the necessary hardware. This means no need to invest in expensive devices that are needed for other authentication alternatives such as hardware tokens and biometric sensors. Additionally, companies will save on resources that go to help desk calls as well as the employee downtime and man hours of fixing account lockouts and resetting passwords.
More secured – Tying digital access to a physical device (that users are already carrying around with them) means authentication cannot be attained through credentials alone. Eliminating passwords from the equation means that there is nothing for potential attackers to steel in order to gain illicit access. Furthermore, password-less apps are far better at protecting against hackers’ attempts to intercept communications and impersonate digital identities.
Password-less BYOD is the next big step for the fintech industry. The BYOD approach to authentication is a win win scenario that both supports the authentication needs of the modern financial institution while reducing cost and improving user experience.”
Mercator Quick Analysis
Mercator has written widely on this topic, including a forecast that predicts the decline of passwords as mobile devices take over the role of authenticating the user written in January 2017 and a deep dive into how we expect behavioral biometrics will play an important role in that transition.
Mercator has heard a range of differing opinions on this, most of which focus on the problems associated with a broken, lost or stolen mobile handset. Arguments based on this premise are baseless in that this problem is common for most authentication mechanisms and must be addressed in the deployment plans. Taking into account how the authentication mechanism will be transferred or re-provisioned when a new mobile device is acquired is a core requirement, as is resolving lost/stolen situations. Mercator believes the key attribute that is likely to limit consumer adoption of biometrics is the broad adoption by authenticators (Google, Facebook, LinkedIn, Salesforce, etc.) of just a few mobile authentication solutions and in January 2017 we predicted FIDO might become the most popular implementation standard.