With the coronavirus pandemic (COVID-19), there has been a 238% surge in cyberattacks against banks and financial institutions. Throughout the year, many financial services organizations have been exposed due to a poor cybersecurity infrastructure, and as many cybercriminals are getting more innovative in their cyberattack methods (cloud hijacking, AI machine manipulation, etc.), the financial services sector is always needing to evolve to stay one step ahead of the latest threats.
Additionally, more financial federal regulations force banks to improve their security or else face the risk of being fined and worse, having their customer data compromised.
Therefore, banks and financial institutions have to quickly transition in delivering an innovative security measure while providing a frictionless user experience. This leads to Multi-factor Authentication (MFA) as a solution that is a must have for banks and the financial sector as a whole.
Here are some key multi-factor authentication best practices all banks and financial services organizations need to consider.
Multi-factor Authentication is a Balancing Act
Many multi-factor authentication best practices are going to depend entirely on a given environment. However, following these four multi-factor authentication best practices as a guideline will point any bank or financial services organization in the right direction for maintaining a stable balance between usability and security.
Best Practice #1: Include "Something you are" as an authentication method
Guidelines, such as the Multi-Factor Authentication Practice Guide by NIST has brought multi-factor authentication back into the limelight.
The guide focuses on implementing multi-factor authentication for e-commerce and purchasers. By adding stronger authentication into the cybersecurity infrastructure, purchasers can protect their customers' online accounts from fraudulent purchases.
According to National Institute of Standards and Technology (NIST), multi-factor authentication requires a user to present several pieces of information when logging into their account.
- Something you know (i.e. a password)
- Something you have/own (i.e. a smart card)
- Something you are (i.e. a fingerprint)
To access your account with an added multi-factor authentication measure, the user must provide at least two of the above. This enhances security since cybercriminals will have to overcome hurdles to gaining access beyond a user's password or pin.
However not all factors are created equal. The strongest factors are based on "something you are", or biometrics, which when deployed cannot be stolen and positively identify the individual, unlike hardware tokens and mobile devices.
Where multi-factor authentication is absolutely necessary, it is important to choose the right device for the situation. Many hardware tokens (such as RSA or even YubiKey) are not useful for all situations, and become more of a hassle than anything else. There is cost and IT overhead in managing and providing these tokens to users.
On the other hand the industry and many organizations have taken the route to implementing a mobile or phone-based authenticator or something similar. While this has become a standard approach, it is flawed as well. A recent Gartner Market Guide for User Authentication stated the 5-15% of employees and 50% of customers will struggle to use phone-based authentication methods. Also these methods are limited in that they only identify that "someone" has access or possession of the device. This does not identify that the individual is who they say they are.
Again the only way to positively identify the individual is through biometric authentication. Also biometrics provide the highest level of convenience as the user has "possession" of the authenticator at all times - such as their fingerprint, voice, or palm.
Best Practice #2: Set the Appropriate Security Policies
The security policy is the foundation for strong digital security. In banks and financial services organizations security policies are critical to ensure the proper controls, risk mitigation, and compliance requirements are in place. You security policy is what determines the structure of your identity and access management (IAM) strategy, and which multi-factor authentication methods need to be implemented.
In order to maintain the strength of that policy foundation, it is important to apply the appropriate security policy not only at the organization level, but also down to the group and even individual user. This also helps maintain that fine balance between usability and security. When implementing multi-factor authentication, additional security will only be required when absolutely necessary, or when access is granted to personal, corporate, or otherwise private information.
The more granular you can become with where stronger authentication is required means that end users are less likely to become frustrated. Happier end-users mean safer security practices all around.
Best Practice #3: Implement SSO
Perhaps the most important practice on our list of multi-factor authentication best practices for banks and financial services organizations is to implement Single Sign-On (SSO). Reducing the number of passwords and security vulnerabilities they create is a constant focus for many financial services organizations. SSO integration decreases the amount of authentication required on behalf of the end-user, reducing frustration and annoyance while maintaining a high level of security.
SSO removes the multiple passwords that users dread, allowing you to enhance security around a single authentication that now provides access to all the user's applications. You can now deploy some of the strongest authentication techniques without causing a high-level of friction and impact to the user experience.
Also authentication approaches which reduce friction further, such as Adaptive Authentication, should be considered part of any authentication strategy. By taking into account the context of the user at the time they are requesting access, Adaptive Authentication solutions can adjust the level of authentication the user is expected to provide, increasing requirements when risk is present or decreasing when it isn't.
Many solutions even offer a complete package including these capabilities to reduce the workload on implementing a solution that adheres to standard multi-factor authentication best practices.
Staying Ahead of the Threat
As mentioned the financial services industry is a prime target for attack, especially during these times of the pandemic and the shift it is causing to accelerate digital transformation across the industry. This requires stronger authentication, multi-factor authentication.
While financial services organizations are usually the leaders and ahead of the curve when it comes to cybersecurity, it is all to often that some of the fundamental best practices are forgotten or left to the side.
When developing a multi-factor authentication strategy it is essential to define your security policies, make sure you consider biometric authentication as a convenient and low cost option, and implement single sign-on. This maintains that delicate balance between usability and security to deliver a positive, friction-free user experience to employees and customers.
Many solutions on the market can provide pieces of the puzzle, but it is essential to look for that partner to your business that understands the challenges of the financial industry. A complete solution will have the flexibility to be able to support your security policies as defined, and not force you to "reduce security" and compromise due to the technology's limitations. A complete solution will be able to provide not only multi-factor authentication but also single sign-on and more advanced approaches such as adaptive authentication. A complete solution in all cases should support and enhance your organization's need for security.
Do you have that solution today? For more information check out the recent whitepaper we have on multi-factor authentication and how biometrics should be part of any optimized strategy.