Strong Authentication

What is strong authentication?

Strong authentication uses multi-factor authentication (MFA) to authenticate a customer’s identity during login and transaction authorization. It also uses risk-based authentication (RBA) to help prevent fraud by determining the risk level for each online or mobile banking transaction and what level of authentication is required for each transaction.

How strong authentication works?

First, multi-factor authentication (MFA) uses three common factors:

• Something you know: The most common authentication is “something you know.” It can be a password or a simple personal identification number (PIN). However, it is also the easiest for fraudsters to beat.
• Something you have: The “something you have” factor refers to items such as a mobile device or hardware authenticator tokens, which generate single use, one-time passcode (OTP). Hardware authentication provides two-factor authentication (2FA). Mobile phone-based options, such as a push notification and a one-time passcode (OTP), also provide 2FA.
• Something you are: Biometrics are the “something you are” factor and can be fingerprints or facial scans and are part of the shift to passwordless logins, especially in mobile banking. There are also a number of laptops available with fingerprint sensors, and they are also available on USB flash drives.

To achieve multi-factor authentication, at least two different technologies from at least two different technology groups must be used for the authentication process. A customer using a PIN with facial recognition as a second factor would be using MFA. However, a customer using a PIN coupled with a password would be using two-factor authentication (2FA) and not multi-factor authentication.

Time-pressed customers increasingly want frictionless authentication. In other words, they want to be verified without the need to actually perform the verification. Implementing MFA helps prevent fraud because passwords and usernames are considered weak security. Passwords and usernames are easy to steal and exploit and they’re for sale on the Dark Web waiting to be purchased by criminals.

Second, risk-based authentication (RBA) is part of strong authentication:

Risk-based authentication helps prevent account takeover and other fraud attacks with the use of machine learning and a risk engine. RBA analyzes thousands of data points, such as the customer’s device, IP address, location, network, time of day, and the transaction itself to produce a risk score in real time. Depending on the risk score, risk-based authentication can trigger an immediate authentication challenge, if needed. A risk score can also include the user’s history of security incidents, number of logins, and the sensitivity of the data accessed. The reason that a risk score is based on a combination of many contextual and other data points is because one data point on its own can and will be beaten by an attacker. Risk-based authentication is also known as adaptive authentication or step-up authentication and makes use of multi-factor authentication when required.

Here is an example of risk-based authentication determining that a transaction is of low risk: A legitimate customer logs into their banking portal with a known device that has been registered with the bank and is using the same browser they typically do. The customer is checking their balance or making a small payment. In this case, the system determines the risk of fraud is so low that customer does not need to re-authenticate after they’ve logged in.

However, when the customer’s behavior deviates from their normal activity, the risk-based system will add more authentication mechanisms, resulting in more security hurdles for riskier transactions such as a bank wire transfer. In this case, the customer would be prompted to authenticate themselves in one form or another, for example, with a fingerprint accompanied with a one-time passcode, which would be multi factor authentication. If successful, they would carry on with their business. If not, the transaction would be cancelled.

As noted, static passwords and usernames no longer provide enough security given the constantly evolving landscape threat and regular data breaches. Risk-based authentication using multi factor authentication, allows financial institutions to support authentication elements such as mobile apps and hardware tokens, which are something you have. It also supports biometrics, such as fingerprint and facial scans which are something you are, and supports the something you know element such as a PIN.

Different types of  multi-factor authentication technologies

• Hardware tokens: Small, easy-to-use hardware devices, such as keychain fobs or smart cards, that an owner carries with them to authorize access to a network service. They support strong authentication with one-time passwords (OTPs). Hardware tokens provide the possession factor for multi-factor authentication. They’re challenging to physically break into and manipulate, help with data protection because customer data is not stored, and are less vulnerable to attacks.
• Soft tokens: Software or app-based tokens generate a one-time use login PIN. These tokens are often used for multi-factor authentication in which the smartphone provides the “possession” factor, or something you have. Soft tokens alleviate the need to remember passwords, can keep up with technology innovations, and can cut onboarding time from days to minutes for the end user.
• Push notifications: Push notifications deliver the authentication code or one-time password through a push notification on the person’s mobile device. Instead of receiving an SMS message, the push notification appears on the lock screen of the person’s device.
• Visual cryptogram: A visual cryptogram such as Cronto® is a multi factor authentication solution that uses a unique visual challenge that’s contained in a graphical cryptogram, which consists of a matrix of colored dots. The customer uses the camera on their mobile device to scan the cryptogram and decrypt the transaction details within.
• Mobile authentication: Mobile authentication provides a way of verifying a customer via their phone or verifying the device itself, allowing the customer to login to secure locations and access resources from anywhere with enhanced security.
• Biometric authentication: Biometric authentication includes using a fingerprint scan or facial recognition in the authentication process to accurately and securely authenticate customers usually on their mobile devices, as well as behavioral authentication which provides behind the scenes security that continuously authenticates them by the unique ways they interact with their devices. This includes the cadence of their keystrokes, their swipe patterns, and more.

How strong authentication helps prevent fraud

Strong authentication methods can help decrease fraud attacks because of multi-factor authentication and risk-based authentication.

Multi-factor authentication makes it more difficult for fraudsters to log into a customer’s account due to three authentication factors for validation: something you know, something you have and something you are. MFA adds additional security when the customer’s device isn’t recognized, for example, or if the customer is trying to do a transaction from an unusual location. It also helps prevent some of the most common cyberattacks, including phishing, credential stuffing, man-in-the-middle attacks and keyloggers. A phishing attack may result in stealing a person’s credentials, but it won’t provide the hacker with a fingerprint, for example. Using multi-factor authentication doesn’t stop all types of attacks, but it does add additional layers of strong authentication that can make cyberattacks more difficult. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before they can gain access to a customer’s account.

Risk-based authentication helps prevent fraud, too, because the fraud prevention system makes real-time decisions about the precise level of authentication security that is needed for each customer transaction to prevent unauthorized access. It’s difficult for a fraudster to impersonate a legitimate customer because RBA is based on the contextual view of the person’s behavior, transaction data, and device data, for example.

Over time, the risk score becomes a more reliable indicator of account compromise and any emerging fraud patterns. As a risk assessment tool, RBA also makes instant decisions about which authentication methods to use, and in what combinations to help prevent fraud. Here is an example of risk-based authentication in action: If someone attempts to transfer 90% of the funds available in a bank account using a device that is unknown and not registered with the bank and at a time of day that doesn’t match the customer’s historical patterns, they would be asked to further verify their identity with strong authentication, such as a one-time pass code accompanied by a fingerprint scan or facial biometric. Additionally, the use of RBA can identify risky login attempts and deny access or transactions altogether, if necessary.

Strong authentication moves financial institutions away from the reliance on passwords, which are easily hacked and a key cause of security breaches and account fraud. Part of the problem with passwords is that modern fraud methods are so sophisticated that a password has virtually no hope of preventing them.

Benefits of strong authentication?

Strong authentication provides increased security over outdated single-factor username and password user authentication. As banks add new online services and new ways to serve their increasingly mobile customers, strong authentication can help keep pace with security challenges and provide the least intrusive experience possible for customers.

It’s also a winning condition that can help unlock loyalty, and ultimately lead to growth, because it’s a smooth and secure experience for customers. Customers have little patience for too many layers of authentication and they simply don’t want to spend a lot of time on accessing their accounts. As part of a bank's digital transformation, strong authentication also removes unnecessary identity verification steps. It applies the precise amount of security at the right time for each transaction based on the level of risk, providing a smooth experience if extra security is required. Customer experience has a direct impact on retention, and studies have shown that customers who can easily interact with their financial institution anywhere and at any time are less likely to switch to another financial institution. As mentioned, strong authentication also helps financial institutions cut fraud losses.

Compliance

Strong Customer Authentication (SCA) is a new requirement of the revised Payment Services Directive (PSD2), which adds extra layers of security to electronic payments. For example, MFA is necessary to satisfy its strong authentication requirement. PSD2 also mandates the use of transaction risk analysis to prevent fraudulent payments.

What analysts say

Market research company Forrester notes that risk-based authentication, part of strong authentication, is more relevant than ever for financial institutions because online and mobile transactions are increasingly popular. Forrester says that the ability to reduce inconvenience and hassle for customers without sacrificing security is a competitive differentiator. The market research company also says that to generate the most accurate risk score possible, an anti-fraud system must be able to analyze as much user, device, and transaction data as possible across digital channels.