The financial services sector is evolving rapidly: increasing and changing customer expectations, a radical shift towards digital channels (mobile), a tsunami of new regulations (PSD2, GDPR, MiFID2, Dodd-Frank act…), new technological evolutions
(e.g. IoT), increased competition of FinTech players…
These rapid evolutions force banks to deliver quickly new innovative and compelling financial services, with an excellent and frictionless user experience. At the same time the financial services sector should be careful
not to jeopardize the trust of its customers. This means customers should be confident that their transactions will be correctly executed and that their financial information is safe with their bank. Security is essential in this story, but
ensuring security is easier said than done, given that the financial services sector is the biggest target of cybercriminals in recent years (in the UK payment and financial services account for about 75% of the cyber-attacks).
Malware, phishing, social engineering and fraud attacks are increasing year after year, new mobile technology attack methods such mobile spoofing and cloning are being used more and more and every day a security breach occurs in the financial services sector.
Such breaches do not only result in financial loss, but damage considerably the customers and the bank, as financial data is some of the most sensitive information stored on the Internet. Today the yearly cost for online identity fraud is estimated to be more
than a trillion dollars.
The first step in ensuring security is authentication, i.e. verifying that someone is who he says he is (and not someone who has stolen that identity). For the financial services industry, having a secure but user-friendly authentication
process is no longer a nice-to-have, but a necessity.
The current authentication methods, which are typically based on passwords, meet however neither of these objectives, i.e. passwords give a poor user experience and are not at all secure.
Banks are traditionally investing heavily in authentication solutions. With a spending of over $1 billion a year (representing approximately 30 percent of the total security budget of banks), banks are the leading investors in these technologies.
In this blog, I hope to demonstrate however that these investments are likely to increase even more in the coming years, as banks will struggle to provide authentication methods, which are both secure and frictionless.
Securing financial services is however more than just authentication. Typically, we can identify 4 steps in providing access to a service for a person:
Identification: before providing a user with credentials (e.g. passwords, certificates, hardware tokens or enrolled biometrics), a bank should ensure that the user fits with the physical person. For most websites, this step is skipped, meaning
anyone can create fake accounts or accounts on the name of someone else.
Banks are however strong in this step, since they are forced by regulators to perform a KYC step (Know Your Customer) in their customer onboarding process. This step verifies and validates the identity of the customer.
Authentication: authentication is the step to ensure that a user is who he says he is. This typically requires logging in with a password (only known by that person) or with a more complex technique like biometric authentication.
Authorization: after the user has been authenticated, the authorization step will determine what the user can access.
Accounting: accounting is the process of recording each access to a resource. It will typically store information like when which user accessed which information. This information helps to investigate fraud cases or other types of security
In this blog, I will focus on "Authentication", although the "Identification" step will also be covered, since an "Authentication", which was preceded by a good "Identification" process will result in a far better security. Since banks and
governments are currently nearly the only players in the market to offer this combination, this can be considered as a true asset for the banks.
As mentioned in the "Introduction", investments in new (more secure and more user-friendly) authentication techniques (multi-factor and risk-based authentication methods) are likely to increase considerably.
This evolution is driven several trends:
Increased and changing customer expectations: customers perform their banking activities more and more digital and expect a frictionless user experience, which is available real-time, 24/7 and multi-channel and supports cross-channel continuation.
This requires authentication mechanisms which are very user-friendly and adapted to each channel (e.g. using face recognition might be difficult on Internet Banking since not each desktop PC is equipped with a good camera, while this type of authentication
is very suitable for Mobile Banking).
Shift in customer’s awareness: thanks to the increased coverage of cyber-security and digital (identity) fraud in the media and the unfortunate fact that more and more customers have become the victim of digital (identity) fraud, there is
an increasing public awareness of the risks associated with digital banking. Furthermore, with companies collecting data about everything we do in our life, concerns about data privacy have also increased considerably in recent years. Luckily these evolutions
have also resulted in an increasing public acceptance of technologies (like bio-metrics) which enable better security.
New regulations: regulators are forcing banks to invest heavily in improved authentication methods. E.g. two recent European regulations in the financial services industry have a considerable impact on authentication:
GDPR (General Data Protection Regulation) : GDPR enforces organisations, in case of a data breach, to inform authorities within 72 hours and all affected individuals in the shortest possible time. This increases considerably the legal and reputational risk
for banks, thus forcing them to avoid breaches as much as possible and improve the structures in place to quickly identify abnormalities or instances of breach.
PSD2 (Revised Payment Service Directive): this regulation enforces
All TPPs to use a 2-factor strong authentication
Banks to open up APIs for TPPs to initiate payments and retrieve account information. This opening of APIs provides a new "channel" for banks, which also needs to be properly secured.
In case of unauthorized payments, the bank will need to compensate the customer immediately (even if the TPP is responsible). Banks have therefore a strong interest to avoid unauthorized payments.
Pressure on reducing operation costs: due to the historically low interest rates and the increased competition from other banks and FinTech players, the profit margins of banks are under pressure. Banks therefore need to find ways to reduce
operational costs. Improving the authentication methods might seem a cost at first, but it can also lead to cost reductions, e.g.
Reducing chargeback requests, i.e. reducing amount of money to be reimbursed to customers due to fraudulous payments
Efficiency improvements by automating processes, e.g.
Fasten and simplify customer onboarding through digital identity management
Automate the continuous KYC monitoring (e.g. obtain a recent copy of the customer’s identity card). This process could be automated via integration with "electronic identity card".
Automate the manual signature validation on documents (e.g. through digital signing or OCR techniques)
Automate customer identification in branches, e.g. through beaken technology at entrance and new authentication technologies, the customer can be automatically selected in the branch application as soon as he enters the branch.
Calls to the bank’s call center can be simplified through customer authentication based on caller identity and voice biometrics
Technological evolutions: the recent technological evolutions provide the means, but also the need, for stronger and more user-friendly authentication methods:
Biometric reading devices are now available at accessible prices. Especially the emergence of the smartphones with fingerprint sensors and high-quality cameras has paved the way for banks to use biometric technologies with no market resistance and necessity
for consumer education.
The increase in the number of smart connected devices (Internet of Things) will require also a strong evolution in authentication methods.
The trends towards more Single Sign On, i.e. avoid user having to authenticate himself multiple times for different websites/applications, but instead authenticate once and reuse this authentication.
Authentication solution as a commodity (service): with the rise of specialized security companies (e.g. OneSpan, Gemalto, Onegini, Auth0, Okta, ForgeRock…), offering their services through the cloud, authentication solutions have become
a commodity, allowing banks to deploy quickly new authentication technologies. These solutions are delivered on-demand via private or public cloud infrastructures and can be customized to the customer’s needs.
3. Multi-factor authentication (MFA)
Multi-factor authentication (MFA) enforces a user to provide two or more independent authentication factors to authenticate the user. Most common is using 2 independent factors. In that case, we speak about 2-factor authentication (2FA).
The word "independent factors" is important. Authentication methods can be divided into 3 categories:
Something the user knows (e.g. password, PIN code)
Something the user has/possesses (e.g. card, mobile phone)
Something the user is (i.e. biometric authentication)
Using two factors from the "same" category is not considered as 2-factor authentication. E.g. combining a password with a set of "Secret Facts" (i.e. questions about the person, e.g. "Name of your first dog", "Maiden name of your mother"…)
is considered as single-factor authentication (SFA), as both factors belong to the "Something the user knows" category.
The most known example of 2-factor authentication is the payment with your debit or credit card (or withdrawing money from the ATM with those cards). The card is "something you have", while the PIN code is "something you know".
Another very common practice, is sending an SMS one-time password (i.e. OTP token). After you enter your username and password on a website, you get an SMS with a randomized code inside. This code must be entered on the website as well. The 2-factor authentication
is ensured by the password to be entered on the site ("something you know") and the fact that you need to have your mobile phone ("something you have").
Note: In the banking industry, the term "Strong Customer Authentication" (SCA) is often used. Officially "Strong Customer Authentication" can also be single-factor authentication, but in most regulations (e.g. PSD2) and white papers in the
banking industry, the terms "Strong Customer Authentication" and "Multi-factor Customer Authentication" are synonyms.
Even if not fully waterproof, multi-factor authentication greatly reduces the chance that an attacker can steal a user’s credentials and reuse them.
Many banks, especially in the US, are however still using single factor authentication (username/password), because of their simplicity. An evolution towards 2-factor authentication is a must-have to ensure proper security, but even such strong authentication
is gradually becoming compromised by more sophisticated online fraud attacks (e.g. man in the middle attacks). Therefore, forerunners are now starting to implement multi-factor risk-based authentication.
4. Risk-based Authentication (RBA)
Banks are starting to evolve towards risk-based authentication (the so-called layered approach), to make authentication more frictionless (e.g. avoid that authentication burdens the customer) and more secure (2-factor authentication typically
addresses only a single threat vector) than multi-factor authentication. This can also be considered as context awareauthentication or adaptive authentication.
This type of non-static authentication system uses following techniques:
Instead of having the same authentication for all requests, the complexity of authentication will be based on the risk profile of the request.
The risk profile of a request will be based on multiple factors, e.g.
The risk profile of the customer, e.g. wealth of the customer, age of the customer, knowledge of the customer about cyber-security, the shopping habits of the customer, i.e. does the customer shop often on online websites, which are less secure… An important
factor here is also the time the customer is with the bank, since studies have showed that fraud risk is considerably higher in the first 90 days after onboarding a new customer.
The type of the transaction, e.g. viewing a balance is less risky than initiating a payment and initiating a payment to a known counterpart is less risky than to an unknown counterpart.
The details of the transaction, e.g. the amount of the transaction, the country of the counterpart…
Details of the device from which the transaction is made, e.g. a mobile phone could be considered more safe than a PC. But more complex details can also be considered, i.e. the operating system of the device (iOS can be considered more secure than Android,
due to the tighter control of Apple over its App Store), version number of the browser, type of browser (e.g. if user always uses a specific browser and now uses another browser) …
Geo-Location: if request is made from a mobile phone, the GPS information of the mobile phone can be associated to the request. This info can be used for the risk calculation. E.g. if request is made from a place far from where the customer normally makes
requests from or if customer has made a request at 1 location and another request a bit later from a location, which is very distant from the first location, it can be a serious indication of a frauduleus transaction.
Timing: timing can also be an important factor. By comparing the timing of a request with the typical timings the customer makes requests, it is possible to identify higher risk transactions.
Typical behavior of the customer: does the request (type of transaction, geo-location, timing…) fit with the typical behavior of the customer, i.e. is it not out-of-pattern and suspicious?
This can be linked to that specific transaction, but also to how the customer navigates through the website. E.g. if customer always starts by checking first his account details and credit card details, before making payments, it can be considered as higher
risk if customer goes straight to the payments module.
Market knowledge, i.e. if a bank is aware of a circulating hacking/phishing attack, they may want to increase temporarily the authentication requirements. This could be limited to the specific devices/locations/customer types targeted by the attack, if this
information is known.
The algorithm for calculating the risk profile should be a real-time engine, optimized to detect as much as possible the risk for fraud. Machine-learning and other Artificial Intelligence (AI) techniques should be leveraged
to optimize continuously this engine.
The information about detected fraud cases should also be fed to this engine, so that (automatic) continuous improvement of the algorithm can be obtained.
Instead of a single authentication at login, risk-based authentication should also foresee a system of "continuous authentication". The above real-time risk calculation should not only happen at the moment of login (using these techniques,
login could potentially even disappear), but before any action the user does (i.e. silent authentication and risk assessment are conducted in the background). At each moment, the user could be asked to provide additional authentication, if the risk profile
exceeds the confidence level associated with the authentication method(s) used up to that moment.
Continuous authentication can also be perfectly enhanced by using behavioral metrics, like e.g. keyboard rhythm authentication (see below for details) and mouse movements. A smartphone could also provide a risk-score itself to the bank of how
likely it is held by its normal user. This can be based on the sensor data (i.e. GPS, accelerometer, camera…) and on the activities (e.g. websites he visits) the user does on his smart phone. This score could also be used by the bank to improve security.
When confidence level is exceeded, additional authentication can be requested, but bank could also choose to limit the transaction (e.g. limit transaction amount), block the transaction or cut
the complete session.
Collaborative Fraud Networks: risk-based authentication is optimized based on the available information. Cooperation between different companies (across industries) is therefore essential to share information about fraud cases. This information
allows banks to:
Feed this info into their risk-calculation engine, thus improving their fraud detection system.
Inform customers (e.g. via messages on the banking platforms) of ongoing fraud attacks.
Setup mechanisms (mail, SMS, phone) to notify customers when suspicious transactions are in progress and ask the customer to confirm (email approval, call-back verification, …) that a given transaction is valid.
All these techniques aim to increase security (weakness in one control is compensated for by the strength of a different control), while preventing unnecessary input or verification steps (i.e. additional authentication
layers are only deployed when needed), thus improving the customer experience.
These techniques are already used by the tech-giants (Amazon, Apple, Google) for a few years now and certain online merchants have even optimized this system in such a way, that they only require 2-factor authentication for 5-10% of the transactions, while
keeping the same security as if they would ask 2-factor authentication for all their transactions. This has allowed them to maintain their operational risk, while increasing their revenues (since less basket drop-out rate, as consumers pay more easily).
5. Types of authentication
As mentioned in the chapter on "multi-factor" authentication, different types of authentication techniques exist.
These can be divided into 3 categories:
Something you know (Knowledge Factors)
Something you have/possess (Possession Factors)
Something you are (Inherence Factors)
Given that banks are evolving to risk-based multi-factor authentication different types of authentication should be supported. The number of techniques to be supported is further increased by the fact that banks need to support multiple
channels, i.e. ATM, call center/phone banking, online banking, mobile banking, branches, payments at merchants… Given that certain authentication techniques are better suitable for specific channels, it is advisable that authentication methods are
also adapted by channel, thus ensuring optimal user experience.
5.1. Something you know (Knowledge Factors)5.1.1. Password
Passwords are still by far the most used authentication technique. This due to their ease of use and simplicity to setup.
Passwords provide however a lot of security issues:
Passwords are difficult to scale. The more accounts a user has, the more passwords he is forced to remember. Furthermore, to be secure, passwords need to be sufficiently complex (sufficiently long and a combination of letters, digits and
special characters), not reused across different accounts and regularly changed. These security requirements make a swift authentication difficult and make it even harder for people to remember. As a result, either these safety practices are not followed or
passwords are physically recorded often close to the authentication device (e.g. on sticky notes). Most common is the reuse of the same password for multiple accounts, i.e. a study of the website Tweakers showed that 2/3 of its users reused the same password
for multiple websites.
Passwords are not very frictionless, leading to a lot of customer frustration. A survey done in the US and the UK showed that 70 percent of the respondents are not satisfied about password-controlled access.
Passwords are easily stolen or broken through:
Dictionary, brute force or rainbow table attacks
Man-in-the-middle attacks, i.e. communication between 2 parties is intercepted by 3rd party
Simply watching the user when he enters his password
Social engineering, i.e. retrieving confidential information directly from the user. This can be done by contacting the user personally, via email (often called phishing) or by dumpster diving.
Bad security on certain websites (e.g. no encryption on websites, bad firewall setup…)
The annual data breach investigations report of Verizon showed that 63% of the confirmed data breaches was caused by weak or stolen passwords.
As not all services you create an account for are secure, there is a great chance that one of them will be hacked. Due to the reuse of passwords, there is a domino effect (also called "spillover effect") that more secure services are compromised.
Password security can be improved by blocking the account after X unsuccessful attempts. This gives a solution for dictionary, brute force or rainbow table attacks, but has also considerable disadvantages:
No solution to the other types of attacks
Banks need to foresee a support desk to reset the locked password, which is very costly. Research has showed that up to 30 percent of all support calls to the banks’ call centers are password reset requests and that the average cost to handle such a call
is estimated to approximately $25 in labor costs.
The reset procedure can be a big security risk in itself, since this procedure can also be used by hackers to break passwords.
Blocking an account is typically not possible for "admin" accounts, since this could block the entire system. As these are the user accounts, which need to be secured the most, other authentication solutions need to be found.
This authentication method is used a lot in combination with cards (e.g. debit card, credit card, identity card…). Typically a PIN code consists of a 4-digit code.
This means an attacker would need to guess on average 5.000 times to get the correct PIN code (assuming that the client has not used an obvious PIN code like "1234" or his birth date). If a computer does the work, it may take a matter of seconds. Banks foresee
therefore always a lock-out feature, after 3 unsuccessful attempts.
5.1.3. Identifiable Picture
This technique is very similar to a password, but instead of the user having to remember a password, he has to remember a picture. When a user registers his account, a picture is provided to the user.
Afterwards when the user tries to logon multiple pictures are showed and the user must select the right picture.
The technique is more complex to implement than simple passwords, but has the advantage that:
A passphrase is a special type of password, which consists of multiple word, which form a phrase. This makes it easier to remember and more secure (since longer) than traditional passwords.
The disadvantage is they require more typing, which is even more a disadvantage on devices, without keyboards, like e.g. mobile phones.
5.1.5. Secret Facts
Secret facts are a set of questions that a user should answer and normally only he knows the answer to. When a user creates an account, he will be asked to answer a few questions. Afterwards when he logs in a random set of questions (typically
3) will be selected, which the user should answer.
Typical examples are: "Name of your first pet", "Maiden name of your mother", "Name of your first school", "Place of your first school"…
This technique is often used for password resets.
The method has the advantage that it is easy to remember, but has also several disadvantages:
Only a combination of multiple questions provides a reasonable level of security. This results in less fluent user experience than traditional passwords.
Answers can often be found back via research on social networks or other information sources.
Issues with spelling of answers, usage of capitals and ambiguous answers (e.g. "name of your school" could include or exclude the name of the city where your school is located) can exist.
5.2. Something you possess (Possession Factors)
This type of authentication is almost never used alone, since it can be easily stolen or duplicated.
In combination with "something you know", it is however the most common 2-factor authentication at the moment.
Next to passwords, cards are probably the most used authentication technique. Think about your debit card(s), credit card(s), electronic identity card…
All those cards allow to authenticate a user, all or not in combination with a PIN code or a signature. For example an ATM machine uses 2-factor authentication, consisting of the card (something you possess) and the PIN code (something you know).
Certain banks offer also card readers to their customers to allow using card-based authentication for Internet and Mobile banking. When a customer wants to login a challenge is provided to the customer. The customer puts his card in the
card reader, types in the challenge and his PIN code. The card reader will then generate an OTP (one-time password), which the customer fills in to login to the site/app.
Although these card readers offer a simple way to reuse existing authentication techniques for digital channels, they are expensive (card readers are often for free to the customer) and not very practical for customers (customers
always have to carry around a card reader).
5.2.2. USB Token
A USB token is a token which must be plugged into a computer’s USB port, so that the computer has access to the information. The USB token is considered as "something you have", while the password is "something you know". Furthermore, the
token will typically provide a secure storage for multiple login credentials, so that the user only needs to remember a single password.
A well-known example of a USB key is a YubiKey, which is supported by Gmail, Facebook, GitHub… When a user wants to login to such a website, the user first inserts his YubiKey in the USB port, enters his password and clicks in the field
in which the OTP should be inserted. If this field supports the YubiKey, a button will appear which will ask YubiKey to generate an OTP and automatically enter it in the field.
This OTP is then sent from the online service to Yubico for authentication checking. Once the OTP is validated, Yubico sends a message confirming the authentication.
5.2.3. Key Fob Token
A key fob token is a small physical device, which generates one-time passwords. One of the most used examples is the RSA SecurID key fob, which is often used to authenticate employees to a VPN network (e.g. for home-work).
Most key fob tokens are time-synchronous meaning the token and the server are synchronized. When logging in the user often has to concatenate a password with the code appearing on the key fob. This ensures 2-factor authentication (i.e. "password"
is something you know and the "key fob" is something you possess).
Key fob tokens have the advantage to be easy to setup and use, but pose also some strong disadvantages, i.e.
Very costly, i.e. total cost (i.e. cost of the token, but also cost within the organisation to distribute to the user) is high. Furthermore tokens are often lost and only last for about 2 to 3 years.
The need to re-synchronize (i.e. in case the token’s clock has drifted) creates a weakness in the process.
No link with the individual, i.e. can be easily lost with no possibility to bring back to owner, but also increasing risk of security breaches
Due to those disadvantages, key fob tokens are more and more replaced by much cheaper "soft-tokens", which work exactly the same way, except that the "token" is generated by a small app on the user’s smartphone.
5.2.4. Mobile phone
The emergence of mobile (smart) phones is making the mobile phone more and more the preferred authentication technique for the category of "something you have", especially since a user has it always close at hand. Especially as the modern smart phones can
also support several authentication techniques in the category of "something you are" (see below).
Mobile phones are typically used for 3 types of authentication techniques, i.e.
Website sends an SMS with a unique one-time password to your mobile phone, which the user needs to enter.
Website generates an automated telephone call, which the user must answer to continue the login.
An app installed on the smartphone, which generates a time-based soft-token (see above). Well known examples in this category are the app of RSA SecurID, the Google Authenticator app and the Code Generator in the Facebook app.
The trend is clearly towards the last type of authentication, since this gives several advantages:
User does not have to disclose his telephone number to the website, avoiding customer privacy concerns.
User does not have to wait till SMS has arrived, providing a more fluent user experience.
More secure, e.g. for SMS a lot spoofing software packages are available, meaning that SMS is vulnerable to a man-in-the-middle attack. Another risk of SMS and call-back is "Mobile Phone Number Portability".
More reliable, e.g. if there is no network connection, it is not possible to receive a call or SMS, but still possible to use the soft-token app.
This type of authentication however still poses the issue that the user inputs both passwords (i.e. his password and the one-time password generated on the mobile phone) on the same site. A potential solution for this is
by sending the one-time password through the phone’s network connection.
This can be achieved through the use of QR codes, i.e. user fills on the website his password and website generates a QR code. This QR code is scanned with the customer’s mobile phone, which automatically sends a message to a specific website,
which identifies the mobile phone and thus the 2nd factor of the authentication.
5.2.5. Digital certificates
Another form of a token is a digital certificate. This is a file stored on a computer, which gives a user authorized access to a specific resource. Although this is purely digital, it can also be considered as "something you possess".
A digital certificate is issued by a Certificate Authority (CA), which verifies the identity of the owner. Certificates are usually issued for a specific period of time, after which they expire and can normally be renewed.
A typical example is the certificate issued by the Belgian government, which is associated to the Belgian electronic identity card. This certificate can be used for authentication and digital signing.
5.2.6. Connected Devices
Connected devices use a pre-established connection (e.g. Bluetooth) from an authenticated device (e.g. a mobile phone) to another device (e.g. a desktop PC).
This connection is prove of presence of the authenticated device, meaning that 1 factor of the 2-factor authentication is established.
While this method is very user friendly, it can only be used when there is a physical proximity between the user and the device. This makes the solution not directly applicable for all use cases.
5.3. Something you are (Inherence Factors)
Up to a few years, authentication techniques of the category "Something you are" - also called biometrics - were limited to very niche use cases (mainly due to their cost price), but with the rise of smartphones they are now becoming mainstream.
Most smartphones now have a fingerprint sensor and a high-pixel camera allowing other types of identification.
Biometric authentication has a lot of advantages, since it cannot be shared, borrowed or forgotten (resulting in higher security) and provides a frictionless user experience.
Thanks to these advantages and the fact that most customers own a smart phone, big banks are increasingly offering their customers the possibility to use biometric authentication.
Biometrics should still be combined with another technique of authentication, since they are also not fully safe. The main disadvantages of biometrics are:
Biometrics are visible to anyone (no way to hide them)
A biometric cannot be changed in case of a breach
A high tolerance is required to avoid usability problems. This leads to a lot of false positives, even without attacks.
A bypass must be foreseen. Since each biometric can always give a false negative and a customer cannot adjust something at that moment, it is necessary to foresee a bypass mechanism. Such a bypass can be a password or another type of biometric technology.
Biometric authentication can be categorized in 2 main categories:
User Physical Characteristics Metrics, like facial recognition, finger print…
User Behavior Metrics (Behavioral Metrics), like gesture, keystroke rhythm…
5.3.1. Facial Recognition
Facial recognition consists of authenticating a person based on a photo (or set of photos), using face-matching capabilities. Using modern high-pixel cameras on smart-phones this technique can be easily realized and is very user friendly.
On the other hand it is known to have some issues:
Instead of taking a picture, hackers can send a picture which was taken of the real user. This threat is nowadays mitigated by obliging the user to blink during the facial recognition process, but there are cases where also this technique could be hacked
using a video of the user.
Facial recognition gives issues in case of bad light conditions or when you have (temporary) changes to your face (e.g. bruises, cuts, plastic surgery…).
Fingerprint authentication consists of scanning a customer’s finger and comparing the scanned fingerprint with a recorded fingerprint.
Several smart phones (e.g. Touch ID of iPhone) nowadays provide a fingerprint sensor making this authentication technique available to the mass and therefore easy to realize and very user friendly.
This method however gives also some known issues:
Some people do not have fingerprints (e.g. burn victims)
False negatives often occur when the user does not put his finger correctly on the scanning device or when a finger is wet or injured (e.g. a cut on the finger). Furthermore, fingerprints can wear or become damaged with age.
The finger pattern can potentially be copied (rubber fingers)
Some of those issues can be avoided using an optical capture of fingerprints using the camera and flash of a mobile phone. This technique, for example used by the Dutch mobile bank Bunq, captures 4 fingerprints at once, resulting in a higher
level of precision and reliability.
5.3.3. Heartbeat (Cardiac rhythm)
A less known authentication technique is based on the customer’s heartbeat, or more specifically the customer’s cardiac rhythm. E.g. the UK bank Halifax (part of the LLoyds Banking Group) has successfully completed a trial with this technique
using the Nymi band.
The Nymi band reads the wearer’s cardiac rhythm (comparable to an electrocardiogram = ECG) for authentication. The shape of the ECG (not the heart rate) is also unique for each person (it depends on the size of the heart) and can cope with
variations in heart rate and with persons with an irregular ECG, due to a medical condition.
5.3.4. Iris scan
An iris scan authenticates a user by measuring the patterns of different features (like fibers, color, pits…) in the eye’s iris. This gives a unique identification of the user.
This scan can also be done using a smartphone camera. A variant on this is to match the unique pattern of eye veins of the users.
5.3.5. Palm (Hand Geometry)
A hand geometric scan authenticates a user by measuring the properties (finger length, width, thickness…) of the user’s hand. These properties allow also a unique identification of the user.
Since this technique also requires to measure thickness an orthographic scan is required. This means a special deviceis required.
This makes this technique not practical for digital use, except maybe for ATM machines.
5.3.6. Vein in the hand or finger
Vein authentication uses the vein pattern of the hand or a finger to unique identify a person.
This method is very accurate and very secure, since the pattern is not directly visible and therefore very difficult to replicate.
The disadvantage is again that this technology requires a special device with special light to go under the skin.
This technology is already used a lot in ATMs of certain countries (e.g. in Japan).
5.3.7. Gesture & Handling
This type of authentication records patterns of gesture and handling in order to identify the user.
This can be done in different ways, e.g.
On a touch screen, the system can record the timing, distance, and angle between each pair of taps, as well as the pressure and size of each finger tap.
Recording of mouse movements.
Recording of accelerometer and gyro sensors to capture the way (i.e. displacement and rotation) the device is held.
This type of authentication is especially interesting for continuous authentication.
5.3.8. Keystroke / Keyboard rhythm
Keyboard rhythm authentication can be easily integrated in the workplace, since keyboards are already present. This type of authentication will measure different characteristics of a person’s way of typing, i.e. latency between keystrokes,
keystroke durations, finger positions, and the amount of pressure applied to the keys.
Also, this type of authentication is especially useful for continuous authentication.
5.3.9. Voice / Speech
Voice authentication records the voice characteristics of a person. This consists of comparing the harmonic and resonant frequencies with a voiceprint created during account creation.
When a user wants to authenticate, he must speak a predetermined phrase used in the initial recording, such as his name.
This type of authentication is again very user friendly and relatively secure, but has some important drawbacks:
Authentication will not work when the user is ill (and his voice is impacted)
Not very suitable for desktop computer, since they don’t always have a microphone
Authentication might be difficult in a noisy environment
Voice of the person could be recorded and replayed by a hacker
6. Security Measures
As mentioned before, a secure authentication should consist of a layered approach, i.e.
Using multi-factor authentication
Using continuous authentication instead of one-shot authentication
Applying self-improving fraud detection engines based on the behavioral patterns of the user
Those authentication techniques should however be combined with other security techniques to further reduce the risk of fraud:
Customer should be made conscious of the role he plays in ensuring good security, i.e.
Installing anti-virus and anti-malware software
Firewalls on customer’s computer
Immediate installation of operating system patches and updates
Applying decent password policies (i.e. complex passwords, no reuse of passwords, regular changing of passwords, no physical recording of passwords…)
Avoid sharing authentication details via unsecure channels (like mail, SMS or phone calls)
Banks should apply all internal security measures, e.g.
Apply the same guidelines as stated before for customers
Encryption of all confidential data
Physical security of all buildings
Correct destruction of all material containing confidential info (i.e. documents, IT-material…)
Regular security audits to identify weak spots in the security setup
Transparent and open communication of potential threads and immediate adjustment of policies, i.e.
Transparent communication when security breaches occur
Inform customers of ongoing threads
Exchange information about threads and successful fraud attacks within communities
Immediate adaptation of the fraud detection engine based on this information (e.g. increasing authentication methods or restricting or blocking access for high-risk requests)
7. Authentication as a commodity
Even if the multitude of authentication techniques makes it difficult for banks to select the right one, all those authentication methods do exist as a commodity products.
Several firms provide out-of-the-box solutions for all those authentication techniques.
These can be technical firms providing such solutions, all or not in the cloud, but also the big tech companies like Google, Facebook and Twitter providing authentication, including two-factor authentication, as a service (i.e. so-called social
identities), which can be integrated in other websites/services.
These social identities avoid having to support multiple passwords and having to enter personal data multiple times, but have the risk that when the social account is compromised, it leads to a significant spillover effect.
8. Authentication as an asset - Trusted Digital Identity Provider
Even though authentication has become a commodity feature, "authentication" with guaranteed "identity" (i.e. reliable information on the identity) is still a valuable asset of the banks. This thanks to the KYC (Know
Your Customer) process which is legally mandatory for a bank and which uniquely links a customer to a physical human being. Monetizing this asset would allow a bank to regain some of the investments made in the costly KYC process.
Currently it is possible to open e.g. a Facebook account by impersonating someone else. The 2-factor authentication of Facebook will guarantee that the user who uses this new account is the user who created the account, but it does not guarantee
the correctness of the identity.
This kind of "fake accounts" offer serious risks for multiple services, e.g. in case of dispute for online services the correct physical person can not be traced, cyber bullying, ruining the reputation or credit rating of others, use of
A correct customer identification process is therefore vital for most online services.
Thanks to this unique identification/authentication asset and the fact that people generally trust banks (i.e. customers, but also merchants who would use the identity information), banks are ideally positioned to serve as Trusted Digital Identity
Provider. Especially since banks are highly regulated, meaning that if an "Identity" is lost or stolen, banks will be forced by regulators to act upon. This in contract to the big tech giants, over which regulators have a lot less control.
Such a Trusted Digital Identity Provider would:
Manage the digital identities, i.e. ensure that user account data (e.g. name, address, birth date, birth place) matches with the user’s true identity
Provide state-of-the-art authentication mechanisms (using the above described methods) as a service
Provide the ability to the user to view and update his personal data
Provide the ability to the user to manage the consents the user has given the bank to share his personal data
Consents to share personal data would also be much more granular than today, i.e. only relevant personal data attributes would be shared instead of sharing the full identity. E.g. a website which needs to verify if the user is an adult, only needs to know
if the user is above 18. The website can request this information from the Trusted Digital Identity Provider, which can just share this data. There is no need to share any other personal data like e.g. the user’s exact birth date or the user’s name.
In short, a bank could become not only a place where money is stored, but also a place where identity is stored.
The above features mean that the customer is fully in control of his personal data and that personal data is only shared on a need-to-know basis, which is perfectly in line with the contemporary privacy regulations, like GDPR.
A bank could offer this service to online companies in other sectors, but also to other banks. This would allow these other banks to avoid performing a KYC process themselves, but instead rely on the KYC process of the bank from which the
identification/authentication service is acquired. This would significantly increase the economies of scale of the KYC process, thus reducing the overall bank’s operational costs associated to this process.
An interesting first example of such a service is the partnership of Commonwealth Bank of Australia with the website Airtasker, which allows customers to match their account of Airtasker with that of the bank, which is allows the website users to increase their
trustworthiness (in complement to existing user rating system).
Today, apart from banks, only governments can take on such a role of Trusted Digital Identity Provider. However, since governments tend to be slow to incorporate such new evolutions and only provide national services, banks will probably be better positioned,
because of their commercial interest and international character.
The advantages for the customer of such a single, federated digital identity would be significant:
In full control of which data is shared to which party
Only relevant data needs to be shared
Personal data only needs to be updated once
Only 1 authentication method for all digital services, i.e. instead of having to create an account, i.e. a new digital identity, for each website (and having a specific authentication process for that website), the user could just grant the site limited
access to his personal data
High level of security as authentication method of a company specialized in security is used
To achieve this, of course standardization will be required, so that parties can use the authentication technique and personal data retrieval services from any bank in the same way. This is required, since no bank will be able to offer this
service for everybody, meaning that a typical website should be able to link to multiple banks, so that the customer can select the bank where his digital identity is managed.