It’s the beginning of the end for the password. In this article, Quintin Stephen, Global Business Lead, Authentication from Giesecke+Devrient discusses the challenges and inefficiencies of passwords and multi-factor authentication based on passwords and OTPs. He advocates for biometric passkeys as a secure and user-friendly solution to enhance fraud prevention by removing the risk of phishing and improve the customer experience.
In the digital era, banking services have become much more convenient for users, but security concerns often remain. Bad actors are staying one step ahead of banks by devising new ways of breaching new features, and increased awareness among customers of fraud and phishing techniques has done little to turn the tide. Stolen passwords for example are the cause of 86% of web application breaches, according to the 2023 Verizon Data Breach Investigations Report.
In an effort to enhance security measures beyond the problematic password, most online banking platforms are now protected by traditional multi-factor authentication (MFA) mechanisms. But even this technology provides no guarantee against a successful attack.
Banks are therefore increasingly facing the challenge of sufficiently enhancing security measures to stop fraudsters in their tracks, but without compromising on the user convenience afforded by digital platforms. This balance is essential for the modern day consumer, so what do banks need to do to achieve it?
The persistent problem with passwords and one-time-passwords
One of the common root causes of fraud has been the use of passwords. The first digital password was created as a far back as 1961, but in more recent years it’s been met with scrutiny. Recent figures suggest that passwords with eight characters can be hacked in 37 seconds. Not only is the password a prime target for phishing attempts, but more difficult than ever for consumers to remember due to their increased complexity demands. The result is users deploy one password across multiple accounts, meaning that cyber criminals can access multiple user accounts once they’ve obtained it.
Passwords, in many cases, have been combined with other authenticators to create multi-factor authentication (MFA), such as one-time passwords (OTPs) and SMS OTPs in an attempt to reduce risks posed by fraudsters. But MFA often compromises a seamless customer experience. OTP solutions, whether via SMS or a dedicated authenticator app, require the user to switch between apps, creating inconvenience, and they may face a delay in receiving the code when there’s a network issue. The generation of OTPs with third-party apps can also create a clunky experience for the end user.
To compound the problem, Generative AI is making phishing attacks so much more difficult for users to distinguish between a real website, email or voice and a fake website, text message or even a phone call. The aim of the fraudsters is to get their hands on the password or OTP information to gain access to the account or approve a transaction. As the password in all its forms proves to be vulnerable, it’s time to remove it completely from the authentication process.
Biometrics is the natural successor
For financial institutions that are trusted by consumers to provide a convenient service, password-free authentication is a necessary step to tackling fraud and preventing criminals from successfully compromising cards and bank accounts. Biometrics, and specifically passkeys, have emerged as a popular alternative. Driven by the FIDO Alliance, passkeys utilise cryptographic key pairs that are significantly more secure than passwords, and offer an enhanced user experience as well.
Passkeys provide benefits to users and businesses. For the user, it’s as simple as unlocking a smartphone or device via facial recognition or a fingerprint scan, as it’s a process they’re already very familiar with. Admittedly, there is no lock in the world that cannot be broken. But the time and energy for fraudsters to replicate a user’s biometrics is significantly higher. When combined with a second factor of authentication, it makes compromising a customer account a very difficult endeavour.
Passkeys are in two main forms: synced and device-bound. Synced passkeys enable users to switch between devices, including their smartphones, tablets and laptops, without re-registering any user details. These are highly suited to customer-facing apps. But in the banking and finance sector, device-bound passkeys are considered a step above in authentication security.
To add that extra layer, device-bound passkeys are tied to a specific device. which becomes a second factor of authentication (possession factor). This is ideal for banks that need to comply with Strong Customer Authentication (SCA), a Payment Services Directive (PSD2) requirement. Banks can always check that a transaction has been made from a trusted device. By merging the device and the biometrics elements thanks to device-bound authentication solutions, the second factor of authentication is invisible to the end user. All users need to do is provide their fingerprint or take a glance at the camera for one effortless action. It’s a truly streamlined authentication process.
However, banks must appreciate that widespread adoption won’t be instant. Biometric authentication methods have garnered plenty of attention, but people have become accustomed to passwords over a long period of time. Banks will need to carefully consider the customer journey and offer support to customers as they transition to newer authentication methods.
Finding the middle ground between convenience and security will be essential. A strategy could be to consider the level of risk associated with the transaction and integrate a seamless authentication process for low-value/risk transactions, and more visible authentication measures for large-value transactions. A second layer can be added to help build consumer trust, particularly among traditional banks looking to ensure retention of existing customers.
Time to reassess traditional security frameworks
As banking continues to evolve in the face of advancing technology and sophisticated cyber threats, financial institutions must reassess traditional security frameworks. While basic password protection has largely made way for MFA, biometric passkey systems are the natural next step. These advanced technologies make use of unique individual traits that are extremely difficult to replicate, but they also streamline the authentication process for user-friendliness.
However, the transition will require careful planning. Banks must address potential customer hesitations and educate them about the benefits and workings of new authentication technologies. As regulatory requirements grow, financial institutions can enhance security while ensuring their services remain accessible to customers and efficient in the face of evolving digital threats.
About the Author
Quintin Stephen is Global Business Lead for Authentication at Giesecke+Devrient, a global SecurityTech company. He is a highly experienced payment expert, and his current focus is on authentication and how it combines with digital payment evolution, including open banking, digital assets, instant payments, APIs, digital first, virtual cards and “Banking as a Service.