Will Continuous Authentication Protect Mobile Banking Users?
Traditional two-factor authentication, while very effective for replacing simple passwords from a security standpoint, can lead to introducing some friction into the user experience. Depending on the type of two-factor solution implemented, users may still have to remember and enter their passwords each time they log into an account, and often have to answer a handful of security questions. In other instances, a user might have to reference an SMS message or token passcode to verify. All two-factor solutions are not created equal and some are more seamless and secure than others. But no matter the option, two-factor authentication adds time and friction to the online and mobile banking user experience.
Recognizing the drawbacks of traditional two-factor authentication, mobile banking will take steps to instead move toward advanced adaptive with continuous authentication capabilities and the switch will likely have widespread implications for mobile banking users. In addition to a more seamless user experience, advanced adaptive and continuous authentication offers the opportunity for increased security.
More seamless user experience
Unlike the obvious requirements of two-factor authentication, advanced adaptive authentication will push authentication factors below the interface level, meaning the user experience doesn’t need to be interrupted by security measures. For example, advanced adaptive authentication has the ability to discreetly monitor how quickly a user is typing on his or her keyboard, or how much pressure is being applied to the screen to ensure the correct user is in possession of a trusted device. These new capabilities pave the way for continuous authentication which not only addresses security around a logon or access event, but continues monitoring parameters during a user online session to provide added security throughout the duration.
Ultimately, advanced adaptive and continuous authentication will be more convenient for users than solely relying on two-factor authentication, as they don’t need to re-enter passwords – or remember passwords and answers to security questions – each time they log into a mobile banking app.
Rather than requiring a password or answers to security questions, continuous authentication works by monitoring device and user behavior throughout a session – such as application activity patterns, user behavioral characteristics and even facial recognition or how a user holds his or her device. Over time, monitoring user behavior and other metrics leads to a collection of data that can more accurately determine if the device is trusted and if the correct person is using the device. The advanced authentication capabilities can understand anomalies based on prior usage patterns that flag when a user’s actions or behavior seem abnormal. It’s a more artificial intelligence-based form of security.
Advanced adaptive capabilities provide a greater degree of intelligence about what’s going on without asking users for a PIN or password. Relying on identity analytics and behavior biometrics decreases risks associated with passwords getting compromised, mobile banking users having the same password across various accounts and other related risks. While two-factor authentication has been deployed to address widespread credential breaches for the enterprise, mobile banking has continued to face risks associated with fraudsters compromising both passwords and responses to security questions.
While the benefits of advanced adaptive and continuous authentication are clear, it will take some time before all of these benefits are recognized. Organizations need to plan for these new types of technologies and examine how they can enable new types of services to be introduced and rolled out to customers. It’s ultimately about unlocking value and providing a superior customer experience, while not foregoing security. As the path to continuous authentication becomes more clear, platform providers need to work together with application providers to develop standards for handling new types of communication that are not only event-based, but persistent.
About Ryan Zlockie
Ryan Zlockie is the global vice president of authentication for Entrust Datacard. He leads the company’s global software product efforts, as well as the authentication business segment. He has more than 17 years of experience in security technology for global, midsize and startup companies. Before joining Entrust Datacard in 2011, Zlockie held vice president positions at L-1 Identity Solutions where he focused on identity and security with an emphasis around biometric technology. He holds an MBA from the University of Southern California and a bachelor’s in marketing from Rider University.