For financial institutions, authentication, determining whether someone is who they say they are when entering into a system is essential since the people logging on are dealing with other people’s money and compassionate personal information. Authentication is a crucial way financial institutions maintain security, which is a top priority as breaches are very costly.
A recent survey found that 45% of financial services organisations had been hit by cyber-attacks, compared to 17% of other types of firms and institutions. Therefore despite being at the brunt of attacks, financial institutions need to do all they can to ensure breaches do not occur to maintain the trust of their customers.
Financial institutions commonly have experienced a haphazard and organic growth of systems to run their business, so often they end up with a widely diverse and un-unified mix of techniques that users must log in to – resulting in lots of passwords, very cumbersome provisioning processes, and tons of IT involvement in granting people the access they need.
Authentication is the lynchpin for security. If different applications and systems authenticate in different ways, generally, there will be a higher risk because whilst one approach may be powerful, another may be weaker.
Usually, efforts made to alleviate the problem either reduce productivity, making it more difficult to authenticate to ensure security, or minimise security, making it easy to establish and therefore easier for someone to steal the credentials. The real problem financial institutions face then is a lack of unity, lack of consistency, and difficulty managing the complexity of securing highly diverse environments and user populations.
Authentication then is a massive issue for financial institutions, not just because it costs a considerable amount. For example, one large bank is known to have spent up to $1M a month in IT costs to reset passwords for its retail tellers.
Yet, it is also an issue as financial institutions rely on authentication to maintain security which keeps their corporate reputation upstanding and ultimately keeps them in business.
The problem they face is that people forget their passwords, yet a breach of a user password is still a significant issue for security. In the above scenario, each retail teller had access to about 12 different systems, and each one had a different password, which meant they often forgot one or more passwords and needed to call IT for help.
In addition, financial institutions need to use stronger authentication for certain financial transactions than what would generally be in place for regular transactions.
Therefore certain users, applications and transactions require second-factor authentication, which means more calls to IT for help. Despite this, the increased security offered by this approach means second-factor authentication is becoming increasingly prevalent in financial institutions.
However, this is usually very difficult to achieve and often makes customers and employees’ lives miserable with mandatory solid passwords and two-factor authentication.
The catch 22 is that whilst customers want the ease of use, they also want security. Unfortunately, for financial institutions to achieve top security, ease of use is not part of the equation.
Some things can be done to alleviate the problem and simplify the process. Firstly, leveraging the secure and unified authentication capabilities of Active Directory (AD) and extending it to other applications can help reduce calls to help desks. Secondly, implementing targeted multi factor authentication – for example, for users logging in remotely, accessing specific systems, or performing particular susceptible tasks – can go a long way to mitigating the password problem without a sweeping change in user behaviour.
Thirdly, a good password policy and consistent enforcement are essential, and single sign-on is even better. No matter how good your approach is, if a user must have 20 passwords, all with high complexity rules, they are inevitably going to write them down – and that creates a risk. Finally, basing as much authentication as possible on AD by far offers the biggest bang for the buck. Everyone has AD, and AD has an innately secure authentication method. It is also usually the first authentication activity performed each day by an employee.
Newer approaches look at other options such as “step-up authentication,” which is where you add context to the authentication transaction, so rather than simply requiring a username and password in all situations, you can vary the level of authentication needed based on the situation surrounding the authentication transaction.
For example, if a user is on-premise, using a company controlled device, to get to the resources they typically access to do their job, you are only required to enter a username and password. However, as the risk level increases, you can add additional “factors” of authentication. For example, if it’s after hours, the user is coming in remotely from a personal device and is requesting access to something that they usually don’t access – you require a two-factor authentication before you let them access the resources, or if you could choose to deny the access altogether.
For financial institutions, authentication is crucial for security, and numerous things can be done to make the process secure and easy to use. The next step is then to look at how, once someone has authenticated, how do you ensure that what they are doing is authorised; as in banks, you need to control what people have access to.
Common Authentication Types
Cybercriminals continually improve their attacks. As a result, security teams are facing plenty of authentication-related challenges. This is why companies are starting to implement more sophisticated incident response strategies, including authentication as part of the process. The list below reviews some standard authentication methods used to secure modern systems.
Passwords are the most common method of authentication. Passwords can be in the form of a string of letters, numbers, or special characters. To protect yourself, you need to create strong passwords that include a combination of all possible options.
However, passwords are prone to phishing attacks and bad hygiene that weakens effectiveness. An average person has about 25 different online accounts, but only 54% use different passwords across their accounts.
The truth is that there are a lot of passwords to remember. As a result, many people choose convenience over security. Most people use simple passwords instead of creating reliable passwords because they are easier to remember.
The bottom line is that passwords have many weaknesses and are not sufficient in protecting online information. Hackers can easily guess user credentials by running through all possible combinations until they find a match.
Multi Factor Authentication
Multi-Factor Authentication (MFA) is an authentication method that requires two or more independent ways to identify a user. Examples include codes generated from the user’s smartphone, Captcha tests, fingerprints, voice biometrics or facial recognition.
MFA authentication methods and technologies increase the confidence of users by adding multiple layers of security. MFA may be a good defence against most account hacks, but it has its pitfalls. People may lose their phones or SIM cards and not be able to generate an authentication code.
Certificate-based authentication technologies identify users, machines or devices by using digital certificates. A digital certificate is an electronic document based on the idea of a driver’s license or a passport.
The certificate contains the digital identity, including a public key and the digital signature of a certification authority. Digital certificates prove the ownership of a public key and are issued only by a certification authority.
Users provide their digital certificates when they sign in to a server. The server verifies the credibility of the digital signature and the certificate authority. The server then uses cryptography to confirm that the user has the correct private key.
Biometrics authentication is a security process that relies on the unique biological characteristics of an individual. Here are key advantages of using biometric authentication technologies:
- Natural characteristics can be easily compared to authorised features saved in a database.
- Biometric authentication can control physical access when installed on gates and doors.
- You can add biometrics into your multifactor authentication process.
Biometric authentication technologies are used by consumers, governments and private corporations, including airports, military bases, and national borders. The technology is increasingly adopted due to the ability to achieve a high level of security without creating friction for the user. Standard biometric authentication methods include:
- Facial recognition—matches the different face characteristics of an individual trying to gain access to an approved face stored in a database. Face recognition can be inconsistent when comparing faces at different angles or comparing people who look similar, like close relatives. Facial liveness technology prevents spoofing.
- Fingerprint scanners—match the unique patterns on an individual’s fingerprints. Some new versions of fingerprint scanners can even assess the vascular patterns in people’s fingers. Fingerprint scanners are currently the most popular biometric technology for everyday consumers, despite their frequent inaccuracies. This popularity can be attributed to iPhones.
- Speaker Recognition —also known as voice biometrics, examines a speaker’s speech patterns to form specific shapes and sound qualities. A voice-protected device usually relies on standardised words to identify users, just like a password.
- Eye scanners—include technologies like iris recognition and retina scanners. Iris scanners project a bright light towards the eye and search for unique patterns in the coloured ring around the eye's pupil. The designs are then compared to approved information stored in a database. Eye-based authentication may suffer inaccuracies if a person wears glasses or contact lenses.
Token-based authentication technologies enable users to enter their credentials once and receive a unique encrypted string of random characters in exchange. You can then use the token to access protected systems instead of entering your credentials all over again. The digital receipt proves that you already have access permission. Use cases of token-based authentication include RESTful APIs that are used by multiple frameworks and clients.
There are now many different authentication processes that can be used to validate a user’s identity.
- Single Sign-On (SSO) allows users to leverage a single set of login credentials to access multiple applications. Think using your Facebook or Google login to access several different applications. A technique called federation is used by SSO systems when the applications you are logging into are spread across other domains. Industry standards like Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) facilitate this process.
- Multi-Factor Authentication (MFA) requires multiple means of authentication. One example is logging into a website with your username and password, but then you are asked to provide a one-time access code that the website sends to the user’s cell phone. The goal is to create multiple security layers to provide a higher level of assurance during the authentication step.
- Consumer Identity and Access Management (CIAM) solutions provide features like customer registration, self-service account management, consent and preference management, but they also offer multiple authentication features. Some of those features include ones we have covered, like SSO and MFA and typically have a user interface that is tailored for end-user populations as opposed to employees.
With these modern authentication techniques, we can uncover additional information about a user beyond who they are. For example, we can determine geolocation, time of day, role, company, language preferences, whether they have a paid account for our service, whether they are carrying out an action on their behalf or for someone else, etc. In addition, CIAM systems manage user profiles, preferences and consent settings. This data (attributes) is beneficial for an authorisation service, such as an Attribute-Based Access Control (ABAC) system.
From an architecture perspective, managing authentication separately from authorisation provides additional benefits. This approach allows you to utilise the correct type of user management and authentication suitable for the risk level of the application or group of applications. Flexibility is significant at this time because so much industry effort is being devoted to multifactor authentication techniques that can reduce reliance on weak passwords and deal with the myriad of security threats that also continue to evolve rapidly.
Combining Authentication And Attribute-based Access Control
Authentication and ABAC interrelate and can interoperate to become a potent tool. Typically, organisations, large or small, have complicated requirements for granting employees access to protected resources. In this digital age, that community of users is growing exponentially to include customers, partners, joint venture organisations and so on. ABAC systems utilise policies and rules to easily navigate and enforce access based on the rich user data available through the authentication layer.
Access to available resources and functions within an organisation likely only require minimum strength of authentication; anyone in the organisation can access them anywhere at any time.
However, for susceptible information assets or transactions that exceed a certain threshold, the ABAC service can redirect the employee, customer or partner to use an MFA before the access is granted. Then the ABAC policies can also decide what actions the employee can take once they are properly authenticated. This loose coupling of authentication and authorisation is an example of the flexibility mentioned earlier - the MFA technique can be changed as those technologies evolve or the risk tolerance for access to data is updated.
As controlling access to information becomes more complex, it will become increasingly important to combine cross-domain identity protocols to solve real-world business problems. By combining the correct authentication protocols with an ABAC model, organisations can securely share critical information while improving the experience for all the users involved.
Exploring Authentication Options For Better Security
Since 63% of confirmed data breaches can be linked to weak, default or stolen passwords, the time has come for businesses to seek more reliable authentication methods. The increasing complexity of the cybersecurity landscape has rendered traditional passwords all but useless, and a nuanced approach to access management is necessary to protect against emerging threats.
Confirming Identity With Context
Contextual authentication takes users’ habits into account when determining whether to grant or deny access. It’s rare for users to deviate from their routines, so behaviour patterns tend to be predictable. These patterns provide the context in which it’s “safe” for the system to authorise login attempts. Hackers using stolen credentials will find it difficult to replicate the exact circumstances under which users access their accounts, and contextual authentication enables flagging of unusual behaviours.
High numbers of false positives may be returned with this authentication method if contextual details are lacking. The system can “learn” new patterns over time, but providing comprehensive user profiles during implementation prevents the IT department from being swamped with alerts. When given enough information, contextual authentication monitors users’ sessions in the background and prompts for additional authenticating factors only when deviant behavioural or circumstantial factors are detected.
Adapting With Risk Evaluation
Evaluating risk levels is a critical component of contextual authentication and can be invaluable in network environments where different degrees of security are required in everyday workflows. By considering the likelihood a system will be compromised, this authentication method can grant access based on the risk involved in specific situations. Circumstances are evaluated and given a chance “scores,” which the system uses to determine whether additional credentials are required before allowing users to proceed.
The dynamic nature of a risk-based authentication model makes it possible for systems to adapt to context, evaluate individual access requests and respond appropriately. Businesses can integrate other authentication methods, such as biometrics or one-time passwords (OTPs), to provide extra layers of security. A properly configured system handles most potential threats on its own and doesn’t alert the IT department unless it encounters a severe breach attempt requiring human intervention.
Pinpointing Users With Geolocation
Geolocation provides a significant amount of information about the owner of a device, which can confirm identity to authorise a transaction. Businesses may use geolocation to prevent hackers from making purchases using stolen credentials by comparing a user’s delivery address to their physical location when placing an order. Geolocation can also detect significant deviations from a user’s standard login location or determine if an authenticating device is an exact location as the individual requesting system access.
The use of geolocation allows for granular access control in organisations handling compassionate information. A business may, for example, restrict its employees from logging onto the network only from within specific office locations. This ensures data is never shared over connections businesses can’t monitor, such as unsecured public Wi-Fi. Access rules may be adjusted to include other areas when employees travel or companies expand into additional locations.
Geolocation isn’t infallible. It requires a solid cellular signal or Wi-Fi connection to work as intended. It is no longer a viable authentication method if a device is stolen along with a user’s access credentials or a customer’s credit cards. However, it can provide valuable information when used as part of a broader contextual authentication strategy.
How To Improve User Authentication
Now that you understand how user authentication works and have discovered some of the many ways users can authenticate their identities, it’s time to see how you can improve your process. If you want to make your login process more secure, user-friendly, or a combination of both, these best practices can help.
Encourage Stronger Passwords to Improve Security.
We know that passwords aren’t a good idea because of the various vulnerabilities they bring with them due to insecure user-generated credentials. However, it can take time to migrate the entire internet (or even just your users) to a completely password-free online experience.
In the meantime, if your organisation decides to do one thing to improve your existing password-based authentication system, it should be to encourage users to create better passwords. With stronger credentials, your user’s information has a better chance of staying protected.
Organisations should not only encourage users to create stronger passwords but also enforce these guidelines internally so that employees maintain secure accounts as well. When improving (and encouraging users to improve) passwords, here are a few things to keep in mind:
- Longer passwords are more secure. Security experts suggest that you create passwords with a minimum of 8 characters, but we recommend creating passwords closer to 12 characters in length.
- Passwords should have a mix of characters. Passwords with a random combination of uppercase and lowercase letters, numbers, and symbols are harder to crack.
- Users should avoid using formulas when generating passwords. The truth is that patterns and procedures make it easy for hackers to guess your password and can offer users a false sense of security.