There are many examples of regulations that guide securing online and mobile banking through strong authentication. These examples cover a vast range of countries and banking sectors, but some prescriptions for strong authentication came up time and again.
From the physical realm to the digital and beyond, authentication is evolving apace. Our infographic follows the timeline of authentication though the ages.
Here are seven key characteristics of any truly effective strong authentication solution for online and mobile banking, as recognized by a wide range of regulatory bodies.
1. All sensitive transactions must be multi-factor authenticated
Multi-factor authentication (MFA) is a method of controlling access to a system or network by requiring a user to present credentials from at least two of the following categories:
- Something only the user knows, such as a PIN or the answer to a challenge question
- Something only the user has, such as a smart card or mobile phone
- Something the user is, which includes biometric data
MFA’s strength in preventing account takeover and other intrusions lies in the combination of two or more of these authentication factors, which then makes it extremely difficult for a hacker to access simultaneously.
2. The entire authentication process must take place out-of-band
Regardless of how you combine authentication factors, a potential weakness of any MFA system lies in how the authenticating credentials are sent to a financial institution. The most effective way to protect data from being intercepted is through out-of-band public-key cryptography. In out-of-band authentication, the authentication process takes place over a communication channel that is different from the primary channel or the channel over which the transaction was initiated.
One way to achieve this is to deploy industry-standard digital certificates to mobile phones and tablets. The certificates uniquely identify each device, transforming it into a trusted factor of possession. Using an encrypted communication channel, independent of the standard mobile operating system, enables banking customers to perform out-of-band, multi-factor authentication of online and mobile banking transactions.
For secure and trusted communication, the parties involved need to be able to validate each other before sharing anything confidential. For more, read our blog post on why digital certificates were such a brilliant idea (and still are).
3. All sensitive data must be encrypted in transit, end-to-end
End-to-end encryption protects digital data as it is transmitted from its source to its intended recipient, preventing opportunists at data intermediaries like internet service providers, application service providers, cloud hosting services, and mobile operators from intercepting, reading, and altering the content of communications.
4. Cryptographic keys and sensitive data at rest must be protected
All sensitive data at rest, and the cryptographic keys used to encrypt it, should be protected both on the authenticating device and behind the financial institution’s firewall. If a mobile device is being used as a second factor of possession, you should never rely solely on native device security, which may be susceptible to mobile banking trojans and brute force attacks.
5. All authentication responses must be digitally signed
Digital signatures powered by PKI technology are widely regarded as the best means of proving the validity of remote banking authentication responses. Implementing a transaction signing solution supports nonrepudiation by allowing financial institutions to verify the authenticity of any transaction – that it was initiated by their customer – and its integrity – that it has not been intercepted and modified by a third party in a man-in-the-middle or similar attack.
6. Clearly display critical transaction information for verification
Avoid overwhelming users with complicated authorization procedures. Strip authentication prompts of all but the most necessary information: the basic details of the transaction displayed front and center.
Find out how our simple, no-fuss step-up authentication solution can help drive customer engagement.
7. Take a layered approach for high-risk transactions
Additional solution components or factors can be used to augment security for high-risk transactions. These may include PINs, GPS location or other contextual data, and biometrics.
User authentication is among the most important of the security controls necessary for securing remote banking and mitigating the threats of identity theft and account takeover by cybercriminals. It’s also one of the industry’s greatest challenges.
Following these seven steps will enhance authentication for online and mobile banking, enabling financial institutions to fend off attacks on their customers’ accounts in the years to come.
This post has been updated from its original version, first published on 3 June 2015.
