In the increasingly challenging realm of providing services, yet maintaining security, financial services CIOs have to find user authentication methods that achieve both.
It’s not an easy task. Let’s take a look at some user authentication methods that financial services could consider.
Let’s start with one of the more recent methods, biometrics – specifically, voice biometrics. New Zealand’s Inland Revenue Department implemented a program used by 400,000 New Zealanders that checks a user’s voice to confirm identity rather than PINs or passwords. Several banks in Australia started using it after it was shown to be successful.
It is a very simple concept. The user sets up the voiceprint, in this particular case, by repeating an account number or date of birth three times. This voiceprint is not a recording, but a digital representation of the user’s voice.
Once it is set up, the user calls in and confirms their identity by quoting their account number. The user’s voice is compared against the voiceprint for a match. Failed matches are transferred to a special section to deal with potential fraud.
It would require rethinking infrastructure, but a user authentication method based on biometrics seems to be one of the most secure methods available. It would also have the benefit of reducing IT and help desk staff requirements to reset or confirm passwords.
This method relies on two separate methods of user identification, most likely a password or PIN, and a card or security token. It helps prevent security breaches and fraud because a hacker would have to have not only a password, but the proper security token or card associated with that user.
Even in cases where passwords have to rotate, when it is user created, most users will use the same passwords for multiple accounts and rotate the same or similar ones. A Massachusetts-based company, RSA Security, conducted a survey that found that 15 percent of Web users use a single password for everything. Two-factor user authentication lessens the risk of that type of behavior.
Though not mandating it yet, the FDIC is asking financial services firms and governments to consider moving to two-factor authentication.
Single Sign-On (SSO)
SSO allows a user to have a single set of credentials for multiple applications and services. There are many of benefits to SSO. The biggest one being that usability is increased, while security is made simpler by the fact that IT has a centralized system to provision, deprovision, maintain and monitor user authentication and access.
A frequent criticism of SSO is the worry that if a hacker gains a user’s identity, he or she can gain access to a vast area of the enterprise. That is true, but damage from such a breach can be contained quickly because access to all applications and services can be eliminated by deprovisioning one set of credentials.
To further strengthen security, successful implementation of SSO may involve combining SSO with other user authentication, such as two-factor authentication.
User Authentication Is a Critical Process
Financial services CIOs need to be aware of evolving user authentication methods. With the rise in cloud and mobile applications and services, it is only going to get more and more complicated to balance usability and security.
CIOs need to assess regularly and evaluate how their user authentication is implemented and be flexible enough to adjust procedures as needed.
Which user authentication solution do you use? Let us know your thoughts in the Comments box below.
And to follow-through on the tips introduced in this short article, be sure to download your free Financial Services CIO Guide to IT Security and Identity Management.