Investment Bank Switches from Hardware to Software Authentication
This bank focuses heavily on innovation and technology to provide a trusted customer experience that balances online and mobile security with ease of use. In 2016, the bank launched a project to offer customers enhanced authentication, including smartphone-based secure authentication technology for mobile transactions. By integrating best-of-breed authentication directly into their mobile banking app and website, the bank has strengthened security, met new regulatory requirements, and cut costs related to issuing and supporting hardware authentication devices.
This bank was under pressure to upgrade their authentication technology. While the bank’s customers were already using a different vendor’s onetime password (OTP) devices and passwords, the bank needed to implement stronger authentication to comply with new regulatory requirements.
Compliance was not the only challenge. Three other concerns added urgency to upgrade:
Soon-to-expire hardware tokens: One-third of all OTP generators used by customers were just months from expiring.
Customer experience: The bank was still using a multi-password system. Customers authenticated with their OTP device in combination with three passwords – but it was difficult to remember three different passwords. Frustration was building; it was becoming increasingly important to simplify the authentication experience because customers who forgot their passwords couldn’t make payments or do trades.
Reissuing passwords was costly: The multi-password method generated a heavy workload for the helpdesk. Forgotten passwords triggered a manual password reset process – consuming valuable helpdesk time. Eliminating this could drive significant savings.
For years, the bank had provided customers with traditional hardware tokens. However, innovation in the world of mobile security gave the bank new options, namely software authentication for online transactions.
The bank developed a cost analysis to compare the two authentication methods. While the analysis remains confidential, “It was clear that from a cost perspective, using only hardware was not an option,” says the Project Manager. Introducing software authentication would provide stronger protection for mobile customers, while cutting costs.
However, the bank had concerns about customer adoption and surveyed their customer base to validate customers’ readiness to accept mobile authentication. The data showed mixed results. Some clients were ready, others not. The bank determined that a hybrid implementation was the best strategy. In fact, their research confirmed that most customers actually want both. Customers want the convenience of using their mobile device, knowing that if something goes wrong (e.g., lost phone, dead battery, etc.) they have a hardware backup.
While software authentication would provide cost savings, it was not without challenges. Some customers did not own a smartphone. Among those who did, survey results indicated resistance to change. While the mobile-first segment was interested in software authentication, not everyone wanted to use their smartphone as an authentication method.
In their communications, the bank had to overcome three barriers to adoption:
1. Lack of familiarity with, and trust in, mobile authentication.
2. Concerns about having too many apps already (not wanting to run out of space on the phone).
3. Concerns about loss or theft of the phone.
As a result, the bank decided to implement a hybrid hardware and software authentication system – while designing their customer communications to promote the software option.
To support the hybrid approach, the bank wanted a single vendor that could offer both authentication methods. That narrowed the shortlist to two vendors. All other key requirements fell into three categories: security, client experience and pricing. For example:
Security expertise: The bank required a vendor and trusted partner with deep industry expertise. “VASCO was very aware of new regulations and was able to advise us on compliance,” says the Project Manager.
Customer experience: The bank needed a vendor with a proven track record for enabling a frictionless, but highly secure, customer experience.
Local distribution center: The bank had a requirement for proven security practices around the physical distribution of new hardware devices, since the vendor would have to handle private customer data. The bank required that PII remain incountry. VASCO’s distribution center was a differentiator.
Pricing: According to the Project Manager, “In terms of cost, VASCO was very close to the competing vendor.”
Strong authentication to safeguard confidential information
In addition to switching their hardware devices to VASCO, the bank also integrated VASCO software directly into their mobile and online applications.
Through the DIGIPASS® for Apps (DP4APPS) library of APIs, the bank added application security, authentication and dynamic signing features. DIGIPASS for Apps is a software development kit (SDK) that allows mobile developers to integrate a wide range of security features, such as two-factor authentication, biometrics, behavioral authentication, device ID, secure channel communications and more, directly into the banking app. The solution is white labeled, ensuring a seamless customer experience.
“We noticed that initially, customers are resistant to change – but once they try mobile authentication, they are very satisfied and stay with it. That’s why communication is so important. You have to convince customers to try it.”
To implement the solution, the bank assembled a team composed primarily of internal resources. These included:
members of the security department
a core team of six part-time developers
the bank’s change management team
Rollout & Adoption
From 2016 to 2017, the bank prioritized deployment to two streams of customers: those whose hardware tokens were about to expire and mobile app users.
The bank communicated the change to customers via email notifications, the website (a dedicated page with information, videos and FAQs) and helpdesk.
To date, the bank has migrated 30 percent of their customers. Rather than take a big bang approach, the bank chose to deploy gradually for two reasons:
Helpdesk pressure: Migrating everyone at the same time would have made it difficult to handle call volume, even with external support.
Budget: The bank has many customers whose hardware device battery life is still valid. These customers can continue to use it until the enforcement of the new regulation in 2018.
From the bank’s experience, customer adoption depends on:
How you communicate the value to clients
What options you offer
The way the bank explains the new authentication methods to customers directly influences adoption. Today, the bank first promotes the software method. If the customer does not have a smartphone, then the bank will present the hardware option.
“If you ask them to choose between A and B, it is very likely the adoption [of software] will be lower because customers are not always ready to change. The reason adoption is so high, is because today, in our emails to customers, we only promote the soft key,” says the Project Manager.
This was one of the learnings from the initial rollout in 2016, when the bank offered customers a choice of hardware or software authentication. The following year, the bank changed their approach. By only promoting mobile authentication, the banks saw a significant lift in activations, with 62 percent of customers activating the soft key.
Tips for a Successful Initialization
DIGIPASS for Apps provides a full range of processes for deployment, provisioning and activation of authentication solutions. These processes ensure secure generation, storage and delivery of personalized credentials to users, preventing credential theft attacks. In most implementations, banks are able to reuse existing practices and communication methods with their clients, to eliminate helpdesk overload and reduce security risks. This secures banks from fraudsters who tend to use switching periods to run social engineering attacks.
During the implementation phase of the project, VASCO’s UX and security consultants worked with bank personnel to develop credential management processes. For example:
VASCO’s solution offers multiple ways to activate the customer’s authentication devices. This allows the bank to create user-friendly workflows for migration from old tokens to the new method.
DP4APPS provides unique secure visual technology known as CRONTO, which allows customers to activate their credentials in seconds.
Because it is natively integrated inside the bank’s mobile app, DP4APPS provides automatic linking of the customer’s account with their security credentials and device-specific data.
One of the most noticeable benefits was the level of customer satisfaction among those who tried the soft key authentication. According to the Project Manager, “Feedback from people who have activated the soft key has been very positive. It’s a lot easier to use. They always have it on them. It goes a lot faster because it uses a PIN rather than passwords that customers forget.”
Project stakeholders were pleased with:
The ease of integration into the banking app;
The fact that the bank did not have to point customers to a separate app solely for authentication;
The overall coverage of security threats in VASCO’s mobile SDK, which provides customers with a trusted authentication solution through their favorite mobile devices;
The quality of post-sale support they received from the VASCO team.
“Overall, the majority of customers did not have any trouble understanding mobile authentication, and were very happy we introduced it,” says the Project Manager. “They found the information on the website, read it, and were able to activate and start using it without any helpdesk support.”
However, one of the key learnings was the importance of adequately preparing for customers who will need support. A small percentage can generate a heavy workload for the helpdesk. “We were not fully ready for that. We had to scale up our helpdesk team very quickly,” says the Project Manager. A second lesson was the importance of tailoring the customer communications. Best practice is to segment and customize communications to different user groups since, “…not all customers are know what a QR code is. Not all are tech savvy – some do not trust new authentication methods. Taking the time to adjust the communications is very important. That will make it clearer and easier for all.”
Finally, making educational and instructional videos was a big win for the bank. Not all customers will take the time to thoroughly read the information on the website – or the emails from the bank. “We were very happy we had those videos,” says the Project Manager.
One of the additional advantages of using video is branding. Because VASCO’s technology is white labeled, this gives banks the opportunity to promote their own brand to their customers, reinforcing the bank’s reputation as an innovator.
Software authentication provides compelling benefits – greater security, a simpler user experience and significant cost savings. But as highlighted in this case study, a successful migration requires a balance of leading-edge technology and proven practices for managing change and driving adoption. Our experience with banks around the world has positioned VASCO as a trusted partner for mobile authentication, both for our technology and our consultative approach. If you are considering migrating customers to mobile authentication, contact us to discuss your project.
VASCO is a global leader in delivering trust and business productivity solutions to the digital market. VASCO develops next generation technologies that enable more than 10,000 customers in 100 countries in financial, enterprise, government, healthcare and other segments to achieve their digital agenda, deliver an enhanced customer experience and meet regulatory requirements. More than half of the top 100 global banks rely on VASCO solutions to protect their online, mobile, and ATM channels. VASCO’s solutions combine to form a powerful trust platform that empower businesses by incorporating identity, fraud prevention, electronic signatures, mobile application protection and risk analysis. Learn more at VASCO.com and on Twitter, LinkedIn and Facebook.