When bankers and their customers are asked about their online or mobile identity authentication preferences, increasingly they are answering “All of the above. As many options as possible.” Clearly, user names and passwords are not sufficient to adequately secure the most sensitive online transactions. That’s why two-factor authentication point solutions are now used for transactions that need that extra layer of protection. These solutions have been effective in reducing online fraud but they are cumbersome for the customer and expensive for the provider.
While layered security is just now taking root in banking, it already has a solid pedigree in the security world. International air travelers are familiar with having their passports reviewed by border control officers and answering a few questions, but there are many more security layers they don’t see. The point is not just to catch culprits in the attempt but to create such a formidable defense that they are foiled in their efforts and deterred in the future.
In online banking, the vulnerabilities are users, devices, applications, networks and data. Bank mobile security must continually answer two main questions, over and over:
The primary challenge for financial institutions is to answer the first question confidently while balancing the customer experience for consumers using online and mobile channels.
There is now a vast array of new technologies and techniques available to check the authenticity of a user and increase identity confidence. Two of the most common factors are “something you know” such as passwords or PINs and “something you have” (card, token, or device). Getting increasing attention and investment is a third: “something you are” – referring to physical or behavioral biometrics such as face, fingerprint, voice, keystroke, and iris. Most smartphones already have face and voice authentication capabilities today, and the new iPhone 5S now has an integrated fingerprint device for user authentication.
Beyond these three authentication factors, there are other security layers available. One is analytics of usage behavior through GPS locations ie “where you are”, along with activity date/time, and user trends. To the extent these can be conducted unobtrusively “in the background” they can significantly enhance security without compromising the customer experience.
Another layer is the network itself. Unisys Stealth™ adds the layer of managing who has awareness that the IT systems, data or assets even exist (you can’t hack what you can’t see). It’s vitally important to safeguard data on the network. Traditional methods of encryption help, but more needs to be done in a world where the chances of a customer being hacked when trying to execute an online transaction are becoming higher. Stealth™ provides network security by encrypting data-in-motion and darkening endpoints, as well as compartmentalizing data centers using Communities of Interest instead of physical infrastructure.
Organizations may also choose to ensure that certain mobile applications are managed in such a way that only users with the appropriate credentials are able to access them. Unisys Stealth™ for Mobile uses advanced data cloaking and encryption techniques to render devices, servers, data and end users invisible on the network. The solution renders applications visible only to authorized users because it containerizes individual applications on a device – enabling fine-grained security controls to be applied to individual applications. This adds a management/security layer to a mobile app without requiring any changes to the application, enabling management and security at the application level rather than just at the device level.
Financial institutions can take advantage of these emerging technologies by implementing a flexible, enterprise multi-factor authentication approach when identity confidence is more important than ever. This approach introduces new methods of authentication easily, has intelligent authentication which adapts the method of authentication based on the confidence level required, and is ideally suited for the new biometrics authentication methods. The approach includes a standardized means of interfacing with the financial institution’s risk analysis methods so that parameters can be dynamically set on how transactions and user requests are managed.
This flexible multi-factor authentication approach has another customer benefit: The customer has the option to decide how much security they wish to establish for what purposes. Many customers still have misgivings about the security of online and mobile banking. Once the bank sets authentication levels to the bank’s satisfaction, there is nothing stopping them from offering customers the option of setting those levels higher – or tweaking the profile such as instead of higher authentication if I am overseas, higher authentication if I am overseas and not in the following 3 countries. It is not unusual for new customers to want higher levels until they become comfortable with the technology, or after a highly publicized intrusion.
And finally, it needs to be stressed, when regulators request financial institutions to disclose their types of security measures, you can be sure they won’t be content with user password, but will look favorably on multiple layers that flexibly employ the full range of available security tools.