For over 50 years, a password and a username have been the fundamental and largely unchanged model for identifying and verifying users - both in the financial sector and beyond. Nevertheless, there are drawbacks to this strategy, which can certainly be seen
in the financial sector.
Complex and long usernames and passwords are not user-friendly. This leads to an area of tension: how do we balance user experience (UX) with security? For example, 'Waiting phrases' are more secure than the familiar 'passwords', but with the advent of mobile
devices and apps, user preferences have shifted. Nowadays, users want fast and practical access - passwords seem too long and impractical.
The consequences of these drawbacks can be severe, especially within the financial sector. If safety guidelines are breached and sensitive data is compromised, the company is vulnerable not only to damage from competitors or criminals, but also to violation
of GDPR. This is not to mention considerable damage to its reputation and the subsequent loss of business.
An intelligent answer
Fortunately, an approach is emerging that can take away the concerns: Artificial Intelligence (AI). The emphasis shifts from recognising usernames and passwords to recognising the user as such. Here, AI techniques are applied to gain insight into how verified
users deal with business apps, data and services. For example, cybersecurity professionals in the financial sector can detect when malicious users or malware attempt to access data.
The different, individual techniques that can all work together to identify users generally fall into two main categories:
- Continuous authentication - Unlike password-based authentication and other two-factor authentication (2FA) techniques, continuous authentication uses techniques to compare the user's behaviour during each session with existing (learned) models of
past behaviour. Continuous authentication also looks for abnormalities that may indicate that the session has been taken over by an external threat. These techniques include, for example, biometrics (by looking at typing speed and mouse movements) and transactional
behaviour (such as transactions and associated amounts).
- Contextual Awareness - This approach is based on understanding the context of a particular session or transaction and then aligning it with security policies. The security policy performs context-based checks and can then take appropriate action.
This typically includes both the physical (e.g. device/network used, time of day, location, etc.) and transactional contexts (e.g. transferring or recovering amounts).
From the user's point of view, the great advantage of the above techniques is that they do not need to perform any additional actions to authenticate themselves. The techniques make automatic and continuous authentication possible. At the same time, it can
adapt to the user's context, while the user concentrates on their work tasks. For example, less strict authentication is applied when a user is working within a context with a lower risk, such as routine transactions.
The application of these techniques can lead to a user experience that rarely requires a password. Authentication is then only requested when the risk of the context is too high. At the same time, the bar for cybercriminals is considerably higher because
they have to navigate through multiple layers of behavioural and contextual risk assessment. They need to do this continuously, with an increasing degree of control as the transaction risk increases.
Incidentally, this does not mean that implementing these authentication techniques goes without a hitch. For example, changes in apps and services are needed to integrate these new techniques. This is even more complex than building a login page to collect
passwords and send messages. However, this challenge can be overcome by using a platform-based approach. This is in contrast to an individual approach in which individual apps and services are tackled each time.
Although strong usernames and passwords have long been seen as the best way to protect the financial sector, they are too vulnerable in themselves, especially when it comes to securing the data the sector owns. Using AI, cybersecurity professionals are working
to develop more legitimate authentication techniques tailored to each individual user. By recognising behaviour instead of log-in data, users can rely more on the security of their finances and data. This frictionless experience ultimately means the best UX
whilst assuring security and privacy and delivering optimised productivity.