Fraud is one of the biggest concerns for businesses around the world. Fraud perpetrators are constantly looking for ways to obtain personal information such as email addresses, usernames, passwords, phone numbers, credit card numbers, and other financial details. Since the financial sector is one of the most targeted industries by cybercriminals, innovation tends to be a strong driver in this space. However, traditional authentication methods used by banks and other financial services organisations have proven to be fundamentally flawed in today's threat landscape.
To deter fraud and survive in today's digital economy, financial organisations must be able to identify their customers from fraudsters or risk not only financial loss but also reputation and customer trust. Unfortunately, credential-based attacks, phishing attacks, and account takeover fraud (ATO) cases have been on the rise in recent years, which have disrupted businesses and organisations already consumed by the COVID-19 pandemic and an uncertain geopolitical climate. To add fuel to the fire, the spike in fraud cases has coincided with the shift to remote and hybrid work and the deliberate targeting of remote workers.
Data breaches at financial institutions, their service providers, and credit bureaus, often involve the use of stolen credentials and compromised passwords. As a result, discussions around user experience (UX) and security are becoming increasingly popular in the authentication space. Due to changing business and security risks, as well as the availability of newer technologies, many organisations are seeking to adopt better methods of authentication that go beyond the traditional username and password. While the elimination of passwords has been a goal for a long time, it is finally starting to gain real traction in both workforce and consumer use cases.
By modernising their authentication methods and eliminating passwords, financial organisations can implement an approach that is scalable, secure, and user-friendly. For years, IT professionals have discussed the idea of removing passwords from the authentication flow. The problem with passwords is that they can easily be stolen, guessed, and compromised. Password resets can also be costly and time-consuming. Thus, relying on passwords for security has become increasingly risky and problematic for organisations in the financial industry.
With the rise of financial technology (fintech), which uses mobile devices and applications to facilitate financial services, many banks and financial institutions started to use fingerprints and other biometrics to enrol and authenticate their users. Initially, privacy and security were the primary concerns of organisations and individuals when it came to biometric authentication. While these concerns are still prevalent and justifiable, biometric authentication has gradually become increasingly accepted and even embraced by most users.
Biometrics is not a new concept or a new technology. Nevertheless, the rise of biometrics as a service has created a competitive, innovative, and dynamic market segment, thereby propelling the demand for passwordless technologies. The concept of passwordless authentication is already innovative in and of itself. The term passwordless authentication is used to describe a set of identity verification solutions that remove the password from all aspects of the authentication flow, and from the recovery process as well. If users lose or change devices, their accounts must remain accessible. To ensure users can securely regain access to their accounts without sacrificing user experience, a variety of trusted recovery options should be available.
Some of the distinctive features of passwordless authentication solutions include the ability to support a wide range of authenticators, the use of biometric technology and public key cryptography, a consistent login experience across all devices, the introduction of a frictionless yet secure user experience, and support for legacy applications and services, among other things. Passwordless solutions are typically used alongside other authentication processes, such as multifactor authentication (MFA) or single sign-on (SSO), and are becoming more popular as an alternative to traditional username and password authentication.
Passwordless authentication solutions must provide customers of financial organisations with a smooth and frictionless user experience, but not at the expense of security. By continuously verifying whether or not each registered device meets the security requirements, passwordless authentication solutions validate and ensure that each device belongs to an authorised user. Some of the risk signals from the user and their device's security posture include device jailbroken/rooted check, device location and geofencing, the presence of a secure enclave, the presence of anti-malware, biometric authentication and firewall enablement, hard drive encryption status, and OS version, and more.
In addition, many passwordless solutions in the market provide cryptographically signed transaction confirmations that follow FIDO’s ‘What you see is what you sign’ principle which is fully compliant with PSD2 Strong Customer Authentication. PSD2 is a new European regulatory requirement that aims to reduce fraud and make online and contactless offline payments more secure. In Europe, the collection of personal data by consumer IAM and authentication systems must adhere to a growing number of standards and privacy regulations. Financial organisations are also subject to Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations in various jurisdictions globally.
Passwordless authentication can be implemented across different industries wherever identification and authentication are required. The practicability of passwordless authentication depends on the use cases they intend to address. As a result, there is a great deal of variation in the deployment, usability, and interoperability of both different passwordless modalities and vendor implementations. A growing number of cybersecurity threats pose significant risks to banks and financial services organisations, resulting in millions of dollars in losses and stiff penalties resulting from regulatory non-compliance. Thankfully, the Passwordless Authentication market is growing rapidly. If implemented successfully, a passwordless authentication solution will not only increase security and drastically reduce fraud but also deliver a convenient and frictionless user experience.
This editorial was initially published in the Financial Crime and Fraud Report 2023 which dives into the captivating world of fraud management, digital onboarding, and financial crime in the financial services industry. You can download your free copy here.
Alejandro Leal is specialised in digital transformation in the public and private sectors, managing a business in today’s geopolitical context, and governance in artificial intelligence and cyberspace.
KuppingerCole Analysts is an international and independent IT analyst organisation headquartered in Europe, with a presence worldwide. We specialise in the strategic management of digital identities, privileges, authentication, and access control as well as cybersecurity and business resilience.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now