Authentication in the Finance Industry: Now and Next
Simon Moffatt, Guest Author, The Cyber Hut
5 Min. Read | September 2, 2022
The financial services industry – from retail banking to insurance – is facing challenges from multiple different channels: from competitive pressure and regulation to the evolving security landscape. These challenges need to be addressed whilst delivering technological and business transformation that is customer centric, cloud native and mobile ready. But can this challenging environment be a catalyst for innovation that can create an agile blueprint for security that is security proof and ready for change?
The Financial Industry Backstory
The challenges facing the modern financial landscape are numerous and varied. From competitive pressures by the likes of challenger banks and digital-only insurance companies, to the constantly changing regulatory landscape, the historical technology choices often resulted in a lack of agility due to siloed systems and at times tactical integrations. Competing solutions – often focused on a niche set of applications or services for functions such as authentication, authorization and visibility often result in complex operational support processes and poor return on investments.
But do these challenges provide a catalyst for a more modern digital-first approach to security, identity and authentication?
The ability to respond to competitive pressure and be agile to external events is a key metric for a successful entity operating within the financial services arena. But how to achieve that? Security is no longer seen as the inhibitor to technical progress – there to merely prevent and control. Security when deployed in a modular and decoupled fashion actually allows the organisation to engage in more opportunities that help drive data collaboration, integration and sharing for both employees and customers alike. A strong and modular security architecture provides the foundation for greater risk reduction and also improved engagement and is ultimately revenue generating.
Where We Are Now – In Numbers
The opportunity to change and deploy a modern security architecture is being amplified by the constantly evolving threat landscape that those in the financial services industry now face. Fraud, account takeover attacks, breached credentials, account misuse and synthetic account registration are all prevalent and on the rise – often being fulfilled by automated “crime-as-a-service” platforms that can be enlisted to perform malicious activity simply by subscribing with a valid credit card. Deep technical skills are not necessary to use these platforms, and the monetary reward for a successful and highly automated attack against a financial operator is significant.
Research conducted by VansonBourne and commissioned by HYPR, surveyed 500 IT decision makers within the financial services industry across EMEA and the USA to understand the current impact and perception of this evolving threat landscape.
A staggering 80% of those surveyed indicated a recent breach was related to existing authentication weakness – with the cost associated with authentication-related breaches averaging $2.19 million. Costs which can no longer be ignored by those operating the identity and security landscape.
Phishing attacks, SMS one time password interceptions and push notification attacks are on the rise and pose a significant threat to existing multi-factor authentication tools.
So what is the alternative? Existing authentication components seem to be the main weakness for both employee and consumer login and registration journeys. The key technology trend that emerged to solve both the usability and security issues for many financial institutions is that of passwordless authentication – and removing the reliance on shared secrets in general.
When surveyed, the 500 IT decisions makers response to the benefits of passwordless authentication were pretty clear:
The once conflict between security and usability is no longer acceptable to the modern consumer, nor technically unobtainable, with these two concerns seen as the main benefits of passwordless authentication.
Where We Are Heading – Security Blueprint
A decoupled and composable security landscape needs to be able to cater for the broad adoption and coverage for passwordless authentication technologies.
The ability to deliver a password-free experience to both staff and customers alike is crucial. From a workflow perspective, an end to end “desktop to cloud” journey needs to be considered as well as the need to integrate password-free options to a range of on-premises and cloud systems. Those integration options should include app, app-less and SDK based capabilities for simple and broad applicability.
Also from a workforce perspective, it is common to need to replace existing MFA components such as security keys or legacy one time password methods, whilst at the same time augmenting existing technologies such as VDI, VPN and legacy applications with the latest authentication capabilities. As many financial services organisations now leverage an identity-centric zero trust approach to security architecture, the ability to deliver an “end to end” FIDO based authentication experience provides a security foundation that is future proof and standards based.
From a consumer point of view, use cases are slightly different – the modern security foundation needs to cater for the ability for seamless user registration and onboarding functions as well as the ability to reduce fraud and improve the overall takeup and adoption rates of MFA.
Even though financial services entities have been functioning for centuries, they continue to evolve, and today’s digital-first yet under attack infrastructure needs to evolve too. Even whilst operating under challenging competitive and technological landscapes, the opportunity to deliver a modern and flexible security fabric has never been more available nor more beneficial.
A key component of that security fabric is the need to remove passwords from both the employee and consumer user landscape. Passwordless authentication can provide the backbone for a future proofed, secure and usable digital experience to improve user acquisition and reduce operational complexity.
For a more in-depth exploration, watch the recent webinar where I discuss the evolution of authentication within financial services with HYPR VP Product Marketing Michael Rothschild.
Guest Author, The Cyber Hut
Simon Moffatt is Founder and Analyst at The Cyber Hut. He is a published author and contributor to identity and security standards at the likes of NIST and the IETF. He has a 20+ year career working within the identity & access management and cyber security sectors - for vendors, system integrators and within industry.