The future of authentication for banks and financial institutions


The past year was marked by an increase in the use of online banking services. As the French stayed at home more than usual, they used the Internet to work, shop, keep in touch and manage their money. This transition to online banking services represents a boon for brands that favor digital. However, it is also a target for cybercriminals looking to profit from data breaches and account takeovers.

Banks and their customers are adapting to a new form of long-distance relationship; in doing so, the quality of online security protection will gain in importance over time and, for some institutions, it will even become a source of advantage over the competition.

When setting up their account, in most cases, customers have the option of creating a password combined with a username in order to gain access. This form of authentication is already well known and used for other connection services; what may be less so is the additional strong authentication control, such as a unique passcode generated by a card reader or sent as a message to a registered cell phone.

Weaknesses of passwords

Strong authentication, a second line of defense, is extremely important for financial services, as passwords are notorious for their inability to prevent bank account takeovers. Reused passwords increase the vulnerability of multiple accounts. Indeed, during a data breach, this information can end up in the hands of cybercriminals. Credentials can also be guessed from a series of combinations of commonly used words and numbers, not to mention that bank details are among the data most coveted by malicious actors.

The implementation of additional identity checks therefore strengthens security, but not all forms of strong authentication are completely equal in the face of security threats. Thus, one-time codes used on cell phones, which are so popular with banks, can be vulnerable to SIM Swapping, a hacking technique increasingly used by cybercriminals that involves taking control of the phone number of the phone. ” an individual to then access their personal information, including their bank details. They can also be vulnerable to modern phishing and man-in-the-middle (MitM) attacks. In this type of attack, the innocent victim believes they are communicating with a legitimate organization, such as their bank, but in reality the information is intercepted and relayed by a malicious third party. It is not easy to spot them, even for cyber insiders, as attackers create personalized and compelling communications to fool their targets. Access routes include unprotected Wi-Fi and manipulated URLs.

In the more well-known case of phishing, victims are encouraged to disclose personal information such as their login details. These elements spoofed by this type of attack are then used to access the user’s account and can be used to try to access other services as part of a takeover of several accounts.

Manage the customer experience

For financial services, using the strongest authentication possible to protect data and accounts doesn’t always go hand in hand with an optimal customer experience. Each additional verification can add time and frustration to the sign-in stage, preventing customers from accessing their account when they want to if, for example, they are in a cellphone-prohibited location.

Strong authentication must therefore meet a double requirement: to protect account data, financial and personal information, while providing a user-friendly, preferably frictionless, user experience. Another consideration is the ease with which it is possible to integrate additional authentication into back-end, or back-end systems, both for the existing product portfolio and for subsequent innovations. Given the speed at which financial services are digitizing and the pace at which payments are moving towards a “cashless” mode, most banks will face this challenge. The finance sector also has the difficult task of ensuring compliance with the various regulations in the sector, in particular the General Data Protection Regulation (GDPR) or the new payment services directive (DSP2), which governs the ‘access to sensitive data.

Protect the infrastructure within the establishments themselves

Financial organizations also need to protect access to their own systems and applications. Here, the difficulties are compounded by the fact that most banking infrastructures combine traditional on-premises systems and private or public services hosted in the cloud. Everyone must be protected from unauthorized access, a challenge that has been exacerbated by the rapid transition to large-scale homeworking over the past year.

Finance teams and employees working in unfamiliar places expand the potential attack surface, with home networks and personal devices suddenly entering the bank’s IT stock. Transparent, convenient and highly secure multi-factor authentication must be in place to protect company data and assets so that employees can securely access systems remotely without creating new risks and vulnerabilities.

Financial services are increasingly turning to hardware tools, such as security keys, to provide strong authentication, which protects the data of businesses and customers without disrupting the increasingly impatient customers. When it comes to protecting their financial data from phishing attacks, users prefer authenticators to be something they own, rather than something they know about. For customers, these solutions provide account protection, while for the enterprise, they provide secure access to systems and applications. It doesn’t matter whether it’s upgrading a bank’s existing infrastructure or a new generation of fintech developers operating only in the cloud, such an approach offers seamless integration with operating systems and ensures compliance with global authentication standards.

If the finance industry wants to effectively protect customers and their data while providing today’s consumers with the experience they want, it has no choice but to step outside of traditional protection to provide strong but frictionless authentication. It is striking that today, social media accounts are often more secure than bank accounts. As consumers are increasingly exposed to better protection everywhere else, they will soon demand the same security guarantees for their bank account.