Careers

Partnerships

Seven steps to stronger authentication

-
Snippet: There are many examples of regulations that guide securing online and mobile banking through strong authentication. These examples cover a vast range of countries and banking sectors, but some prescriptions for strong authentication came up time and again.

There are many examples of regulations that guide securing online and mobile banking through strong authentication. These examples cover a vast range of countries and banking sectors, but some prescriptions for strong authentication came up time and again.

From the physical realm to the digital and beyond, authentication is evolving apace. Our infographic follows the timeline of authentication though the ages.

Here are seven key characteristics of any truly effective strong authentication solution for online and mobile banking, as recognized by a wide range of regulatory bodies.

Seven steps to stronger authentication

1. All sensitive transactions must be multi-factor authenticated 

Multi-factor authentication (MFA) is a method of controlling access to a system or network by requiring a user to present credentials from at least two of the following categories:

  • Something only the user knows, such as a PIN or the answer to a challenge question
  • Something only the user has, such as a smart card or mobile phone
  • Something the user is, which includes biometric data

MFA’s strength in preventing account takeover and other intrusions lies in the combination of two or more of these authentication factors, which then makes it extremely difficult for a hacker to access simultaneously.

2. The entire authentication process must take place out-of-band

Regardless of how you combine authentication factors, a potential weakness of any MFA system lies in how the authenticating credentials are sent to a financial institution. The most effective way to protect data from being intercepted is through out-of-band public-key cryptography. In out-of-band authentication, the authentication process takes place over a communication channel that is different from the primary channel or the channel over which the transaction was initiated.

One way to achieve this is to deploy industry-standard digital certificates to mobile phones and tablets. The certificates uniquely identify each device, transforming it into a trusted factor of possession. Using an encrypted communication channel, independent of the standard mobile operating system, enables banking customers to perform out-of-band, multi-factor authentication of online and mobile banking transactions.

For secure and trusted communication, the parties involved need to be able to validate each other before sharing anything confidential. For more, read our blog post on why digital certificates were such a brilliant idea (and still are).

3. All sensitive data must be encrypted in transit, end-to-end

End-to-end encryption protects digital data as it is transmitted from its source to its intended recipient, preventing opportunists at data intermediaries like internet service providers, application service providers, cloud hosting services, and mobile operators from intercepting, reading, and altering the content of communications.

Seven steps to stronger authentication

4. Cryptographic keys and sensitive data at rest must be protected

All sensitive data at rest, and the cryptographic keys used to encrypt it, should be protected both on the authenticating device and behind the financial institution’s firewall. If a mobile device is being used as a second factor of possession, you should never rely solely on native device security, which may be susceptible to mobile banking trojans and brute force attacks.

5. All authentication responses must be digitally signed

Digital signatures powered by PKI technology are widely regarded as the best means of proving the validity of remote banking authentication responses. Implementing a transaction signing solution supports nonrepudiation by allowing financial institutions to verify the authenticity of any transaction – that it was initiated by their customer – and its integrity – that it has not been intercepted and modified by a third party in a man-in-the-middle or similar attack.

6. Clearly display critical transaction information for verification

Avoid overwhelming users with complicated authorization procedures. Strip authentication prompts of all but the most necessary information: the basic details of the transaction displayed front and center.

Find out how our simple, no-fuss step-up authentication solution can help drive customer engagement.

7. Take a layered approach for high-risk transactions

Additional solution components or factors can be used to augment security for high-risk transactions. These may include PINs, GPS location or other contextual data, and biometrics.

User authentication is among the most important of the security controls necessary for securing remote banking and mitigating the threats of identity theft and account takeover by cybercriminals. It’s also one of the industry’s greatest challenges.

Following these seven steps will enhance authentication for online and mobile banking, enabling financial institutions to fend off attacks on their customers’ accounts in the years to come.

This post has been updated from its original version, first published on 3 June 2015.

 Download our Browser Authentication fact sheet

Subscribe to our blog.

Muscling up on strong authentication
Entersekt editor

Entersekt editor

An avid scowler and violent sharpener of pencils, Editor’s bark is worse than her bite. Every scrap of writing that crosses her desk she treats with the same care she would her own privately published comic verse. Any orphans and misfits, she takes under her wing. After hours, she practices amateur type design and represents her local library in extreme kerning competitions.

Tags

Public-key cryptographyTransaktDigital securityCustomer authentication

Related articles

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.