Multi-Factor Authentication – Widely Adopted, Effective Protection
Static passwords alone are no longer a viable tool for identifying customers, according to ICBA Payments’ Alan Nevels. With payments fraud rising year after year, and consumers becoming more comfortable with making payments online, the importance of authentication has never been more crucial.
Studies indicate that approximately 80% of today’s data breaches are the result of weak passwords. The wide-ranging fraud schemes centered on deceiving consumers into providing sensitive personal information have supplied fraudsters with an assortment of customer data points, which has fueled the uptick in identity theft.
Multi-Factor Authentication (MFA) offers a protection layer for customer verification and is one of the most powerful and cost-effective means for identifying users.
There are three main variants associated with MFA: something that is identifiable (like a PIN or Password), something in possession (like a phone), and something characteristic (such as fingerprints).
Here are commonly accepted and effective authentication methods. We’ll briefly explore these methods and the pros and cons of each.
Short Message Service (SMS) involves sending a unique one-time-passcode or text phrase to a mobile device to confirm access or verify financial transactions.
- Pros: Considered the most easy and effective authentication method. They also are very cost effective, and universally accepted worldwide.
- Cons: Requires physical possession of, or close access to a phone, laptop, or mobile device. Also, codes usually expire within very short time spans.
Push Notifications send a notice to an application prompting the user to approve access attempts. Notices regularly provide data elements (time, location, and device type) for validation before acting.
- Pros: Allows for swift authentication and has proven to be the most effective practice for combating email attacks (phishing) and impostor attacks. They are also fairly cost effective to implement.
- Cons: Requires a certain security token type for deploying data exchange. Users must have and maintain devices that allow for hosting the application(s) and aiding general interoperability.
Biometric Authentication is dependent on unique biological characteristics and traits (fingerprints/facial features/eyes) to verify identity.
- Pros: Makes for stronger and more frictionless validation and is becoming a more accepted method for user authentication. It requires no memorization of PINs or passwords.
- Cons: Privacy concerns are fueling slower user adoption. Also, collection and data storage are rising consumer concerns.
Behavioral Authentication (BHA) verifies a user based on recorded device interaction, such as how the device is held and the cadence or pressure points when typing.
- Pros: Provides a mostly secure and unnoticed authentication method and is hard to counterfeit. BHA offers a relatively frictionless mode of authentication.
- Cons: Somewhat dependent on the user’s physical and emotional state of behavior. Also, users have concerns with data collection and storage and privacy invasion.
QR Codes are used more often for financial transaction verification, access to website applications and related information, and enabling devices to act as TV channel remotes.
- Pros: Provides simple authentication and integrates easily with other security tools. Also, most consumers already have the required device(s) and hardware for authentication.
- Cons: Not a widely used authentication method and strongly dependent on device and a QR Code application download.
The benefits and negligible cost of MFA are clear when weighed against the risk and associated cost of a data breach stemming from weak and compromised credentials. Criminals are getting more sophisticated. Fortunately, the technologies for matching their persistent fraud schemes and thwarting their attacks are up to the challenge.