A Modern Authentication Model for The Financial Industry

Shimrit Tzur-David | April 16, 2018

The modern financial sector has been fully integrated into the digital sphere.

Today’s online financial domain made up of banks and other intermediaries circulate billions of dollars around the world daily.

Understandably, such a domain makes for a highly lucrative target for cybercriminals. Unfortunately, companies have been losing this fight. Hackers are becoming more sophisticated, deploying blended threats against banking and payment networks. This comes as bad news for enterprises trying to stop online fraud and illegitimate access to their monetary accounts.

What the industry needs is a reassessment of the standards of online authentication strategy. By reforming and updating the methods employed to protect digital identities the cybersphere can remain a safe domain for the financial sector.

Financial Industry Authentication Strategy 101

Industry leaders have long understood the risk associated with financial operations on the internet. Nearly two decades ago, the Federal Financial Institutions Examination Council (FFIEC) issued guidelines on authentication for the electronic banking environment. As online financial crime rose, and the tactics of criminals diversified, it was quickly understood that the way companies were going about securing their accounts was lacking in two basic ways.

First, no single form of authentication was going to stand in the way of cybercriminals. In the past several years, the most common “second-factor” methods have been shown to be vulnerable when it came to protecting financial accounts, including SMS and facial recognition. Every method seemed to have its weakness. There was no magic bullet

Second, standardizing authentication requirements for all types of operations and transactions was inefficient and also misguided. Why require the same level of security for relatively benign actions such as initial account logins, and operations that carried significantly more risk such as one-time, lump-sum monetary transfers?

From this realization emerged what came to be known as the “risk-based approach” (RBA) to securing online finance. This approach incorporates different layers of authentication with multi-factor systems and also fostered adaptive methods that adapt authentication requirements to the appropriate risk level associated with a given action.

The Perpetual Cat and Mouse

Once the principles of RBA became the industry standard, it set off a race between hackers and enterprises. Companies began the search for the strongest layers to add on to their authentication schemes. Cybercriminals for their part started to produce methods to circumvent these new authentication methods, leading to the undermining of leading second-factor methods. This has kicked off a seemingly endless back-and-forth, with users searching for new ways to secure their digital identities, and hackers scrambling to break them.

Regulations Galore

Of course compounding this pressure on companies to secure client accounts has been the growing requirement of data regulation policies. More and more legislation governing the storage and use of sensitive information, from state laws such as New York’s recent DFS requirements, to continent-wide regulations like GDPR have added mounds of new responsibilities for organizations, that often leave them holding the bag in the event of a breach.

Conflicting Considerations

What ultimately emerged from this trend was companies finding themselves having to deal with a serious conundrum.

The financial industry as a whole faced the challenge of addressing two distinct needs when it came to digital authentication. On the one hand, the need for a seamless user experience, or UX, is tantamount from an operational perspective. Companies want smooth UX in order to offer their clients unfettered engagement with online tools. But opposing the aspiration for ease of use, companies need to contend with the security reality that demands multiple layers of protection, and additional factors for high-risk operations.

The adaptive methods of authentication that had emerged to address the authentication challenge had advantages in improving user experience, as they avoided making low-risk activities long and complicated, or high-risk activities too easy. However, such as solution requires the system administrator to set up policies, risk level and users roles on the backend or trusting a behavioral algorithm to make some of these assessments. This is a high maintenance security system, requiring the security admin to act as a UX expert, and is not very efficient for the more complicated scenarios of authentication, burdening both the users and administrators.

But more importantly, the vast majority of these two or multi-layered systems are based on the weakest layer in security – the password. Password are a thing of the past, making life complicated for both the users and the admin. It is expensive, complicated to manage, and easy to hack. כIn addition to its complexity of set up and execution, the adaptive model does not take problems of passwords into account.

Giving Users Edge

The authentication solution needed by today’s online financial domain is one that will address both the UX and security needs, while simultaneously not compromising on either.

The authentication solution of Secret Double Octopus caters to all of a company’s considerations when deploying an authentication scheme. On the security end, with the Octopus Authenticator, the most powerful and reliable authentication is achieved from the initial login. Secret Double Octopus’s authentication solutions are based on Secret Sharing, the mathematically unbreakable scheme that takes data and uses randomization to compute different numbers (shares) that only together define the secret, meaning it’s impossible for hackers to piece together. This alleviates the need for multi-layered systems and the trust elevation of adaptive models. Additionally, the Octopus Authenticator can do away with passwords completely, as well as all of the responsibilities of storing, remembering, and securing them.

The security and ease of use of Secret Double Octopus technology mean businesses can offer their clients seamless user experience and remove the nuisance of authentication, in a solution that is both intuitive and effective.