A strong and reliable authentication process is the cornerstone of any security system. Other elements are, of course, important such as secure connections to systems as well as applying appropriate encryption levels to data to ensure it remains protected. However, unless the identity of a user can be confidently verified with a good authentication process, then the other security elements become irrelevant.
Components of authentication, called ‘factors’, generally fall into one of three categories of credentials; ‘what you know’ (a password), ‘what you have’ (a token or a mobile phone) and ‘what you are’ (biometric thumbprint or iris scan). Multi-factor authentication (MFA) is where more than one method of authentication from independent categories of credentials is used to verify a user’s identity. The greater the number of factors used, the stronger and more reliable the authentication. For example, if a user must authenticate with a password and a token, a hacker may have the password but won’t have access to the physical token if the person is in a different physical location. Both components are interdependent and obtaining only one will not help the hacker as both elements are key to authenticate and validate the identity.
Financial regulators understand the importance of MFA and often recommend financial companies to implement such methods. For example, the Hong Kong Monetary Authority (HKMA) states in their e-banking guidelines that Hong Kong financial institutions ‘should select reliable and effective authentication techniques to validate the identity and authority of their e-banking customers. Customer authentication is usually stronger when combining the following two factors: something a customer knows (e.g. user IDs and passwords); and something a customer has (e.g. one-time passwords generated by a security token etc.)’.
Many financial service providers have come to develop two-factor authentication (2FA), using a password and a token or an additional security code (usually referred as ‘OTP’ for ‘One-Time Password’) sent to the user’s mobile phone. Sometimes they also implement a two-level authentication which is different from 2FA and consists of requesting two components of the same category (e.g. two passwords).
Financial organisations must comply with regulations and keep their systems and data protected. The main challenge lies in implementing the appropriate security without compromising the user experience and users’ high digital expectations. When users are asked to remember complex passwords or to have a token nearby to check their account balance, it creates points of friction.
Biometric authentication which leverages the third component, ‘what you are’, has become more popular in recent years as technologies have evolved and the infrastructures needed to collect the biometric data in the first place have been created for certain use cases. However, issues exist with the user experience as onboarding biometric elements of authentication such as recording the voice or taking the fingerprints of each user can take a long time or often be impractical given the large number of customers being serviced.
Biometric authentication also involves additional issues as it is based on the probability of a match (e.g. your voice on record and your voice during a phone call) unlike a password or a token which work on a binary measurement (match or don’t match). It can then create false positive (the system incorrectly accepts a biometric sample as being a match) or false negative (the system falsely rejects a valid biometric sample) recognitions of users.
Financial services organisations must strategically choose the number of factors of authentication they want to implement depending on the desired level of security required, the data they aim to protect, their infrastructure, and the costs incurred. With ever-changing circumstances, one factor can be enough but often two or even three factors are needed. However, with each additional factor, an additional step is added to the authentication process which can quickly diminish the user experience or convenience for the user.
APrivacy security solutions solve many of the authentication headaches for financial services organisations allowing them to provide seamless user experience while meeting regulations. For example, APrivacy enables two-factor authentication on encrypted content such as eStatements sent to customers, while cleverly removing the need for passwords or tokens. APrivacy also integrates with existing biometric authentication systems, such as digital thumbprint, so that a third-factor authentication can easily and dynamically be offered to customers when required.
If you would like to learn more about APrivacy, please contact us.
Digital Security Perfected – APrivacy Ltd. is an award-winning company which combines military-grade data security with a seamless user experience on any platform, any device, anywhere. APrivacy Ltd.’s enabling technology now allows the financial services industry to confidently communicate with clients using their favourite channels leading to increased revenues and reduced costs while meeting the strictest regulatory requirements.