Multi-Factor Authentication in Financial Services

Multi-Factor Authentication for Financial Services

Phishing and other password-based attacks have grown significantly in the past three years and have been identified by the FBI as the top cybersecurity threat. This makes it clear that reducing risk involves hardening security around authentication.

The primary means of achieving stronger authentication is for financial services organizations to deploy multi-factor authentication. Multi-factor authentication for financial services is the same concept used in other fields where a user must provide two or more proofs of identity from:

• Knowledge: Something they know (e.g., a password or PIN)
• Possession: Something they own (e.g., a device or hardware security key)
• Inherence: Something they are (e.g., a biometric feature such as a thumbprint or retina scan)

However, not all of these factors deliver the same level of security. Any company deploying multi-factor authentication, financial services firms included, needs to recognize the flaws and workarounds that attackers can exploit, particularly when passwords or shared secrets are involved.

Cyberattacks On Financial And Banking Industries

The financial services and banking industries are among cyberattackers' most highly valued targets. Arguably, they're also the most strictly regulated in terms of data and customer protection. For the first five years of its major monitoring report on cyberattacks, IBM's X-Force found that the finance industry was the leading target for attackers. In 2021 alone, it accounted for 22.4% of attacks across all industries.

This creates a particularly fraught situation for the financial services sector due to the source of underlying risk. Successful cyberattacks have significant negative impacts on:

• Risk: The costs and market impacts of cyberattacks affect market risk through equity prices; liquidity risk through potential clean-up costs, fines and compensation; and operational risk due to restructuring of system procedures or redeployment of resources.
• Direct Costs: Per Accenture, the financial services industry has the highest costs of any vertical in dealing with cybercrime, at an average of $18.5 million. Bank of America’s CEO, Brian Moynihan, has said that their firm spends over $1 billion on cyber defense. Costs include deploying extra resources, hiring short-term specialists to resolve issues and rebuild compromised systems, and lost revenue from system downtime.
• Regulatory Compliance: The FinServ industry is highly regulated. This includes the Bank Secrecy Act, NYDFS Part 500 and CCPA in the US, and the GDPR, MiFID 2 and PSD2 in the EU. These acts mandate strong customer and data protection with significant fines levied for breaches.
• Consumer Confidence: A major knock-on effect and element of the costs suffered from cybercrime is how it affects consumers' likelihood to do business with a firm. Almost half of the respondents to a survey from Arcserve said they would walk away from their bank or financial institution immediately if it suffered a successful cyberattack.
• Insurance Costs: With the rise in the incidents of attacks and associated costs, insurers providing cyber insurance have raised premiums  for financial service providers by as much as 50%.

The Nature of FinServ Cybersecurity Threats

The 2022 X-Force report found that 46% of attacks on the financial services industry used phishing as their initial launchpad. Other password-based methods such as brute force, credential stuffing and password spraying are also being used. This highlights how critical robust authentication security is for the industry. Attackers have long recognized authentication as a relatively easy vector to crack, much easier than searching for and exploiting code or security flaws.

Successful authentication attacks give hackers a host of options to extend their attack once inside, including account takeover (ATO), server access to upload malware or ransomware, business email compromise (BEC), data exfiltration and other fraud that leverages trusted accounts.

Improving Multi-Factor Authentication in Financial Services

The Office of Management and Budget (OMB) has ordered that all federal agencies must implement phishing-resistant MFA by 2024. This type of MFA has also been mandated by cyber insurers and legislation such as the New York Department of Financial Services (NYDFS) Part 500. 

There is recognition that traditional MFA, which allows shared secrets and/or passwords as a proof of identity, is not strong enough. Read our blog: How Secure is MFA, Really? to learn more.

With that in mind, we'll look at how to strengthen the protection that multi-factor authentication in financial services can provide.

1. Remove Passwords: Since password-related attacks, such as phishing, are a key method for cyberattack attempts, eliminating passwords significantly  strengthens  multi-factor authentication in financial services. The government’s Cybersecurity and Infrastructure Security Agency (CISA) has declared the FIDO2 passwordless authentication protocols to be the ‘gold standard’ of multi-factor authentication.
2. Improve User Experience: Buy-in from employees is crucial for delivering secure multi-factor authentication in financial services, and not just from a business harmony standpoint. One of the most significant human error flaws in authentication is when frustrated users seek shortcuts to cut down on the time,  effort or frequency associated with password based logins. This includes leaving workstations permanently logged in, keeping easily accessible or written notes of all passwords used and sharing passwords with colleagues. 
3. Eliminate Gaps: Even with robust MFA, financial services firms are still at risk from gaps between devices, software and single sign-on (SSO). For example, a user logging into their desktop will be challenged for authentication and again when logging in to their SSO, applications, or network account. This creates a redundant login, user friction and a gap where one weak authentication point can give attackers unfettered system access. The solution is having a strong, passwordless MFA that takes the user from desktop to cloud with a seamless and fully secured authentication process.
4. Secure Remote Employees: The move to working from home during the pandemic has not fully reverted to the pre-2020 status quo. The more widespread use of Remote Desktop Protocol (RDP) and Virtual Desktop Infrastructure (VDI), along with personal devices and less secure work locations, has significantly broadened attack surfaces. Financial services firms need authentication that seamlessly integrates with RDP and VDI to deliver the same level of security as office networks. 

Your Partner in Phishing-Resistant MFA

The financial services industry is under heavy attack from cybercriminals and has the most to lose from successful attacks. This includes direct costs from fraud and lost income, regulatory reprimand and possible fines, lower consumer confidence and higher cyber insurance rates. In addition, with most attacks being password-based, deploying multi-factor authentication in financial services is essential for lowering organizational risk. 

This needs to move beyond a tick box item. Forward-thinking organizations should deploy the most robust and flawless MFA possible. HYPR is the only passwordless MFA platform that is FIDO Certified from end to end. It leverages public key cryptography to create a secure authentication system that completely removes all passwords and shared secrets. Moreover, an intuitive and easy-to-deploy system eliminates the trade-off between security and user experience, improving buy-in and reducing frustration and lost productivity.

Offering complete integration with all major IdPs and SSOs, as well as protection for VDIs, RDP and VPNs, HYPR’s phishing-resistant MFA is an effective tool in helping banks and financial services firms secure their employees, data and customers. To learn how HYPR is helping the financial industry ensure security, compliance and  risk reduction, download our Financial Services Solution Brief.