Welcome to the first of four blog posts exploring the trends, threats, and opportunities to consider when securing your mobile banking channel. As consumers rely more and more on modern digital conveniences like mobile banking, their expectations — and loyalty — depend on quick and easy user experiences, without compromising the safety of their sensitive data.
Financial institutions (FIs) that follow a few basic best practice guidelines are guaranteed to not only meet these expectations, but stay one step ahead in a competitive, customer-driven market. Here are four to take note of:
1. Shifting from SMS OTPs to modern, passwordless authentication
Even though one-time passwords (OTPs) are still widely used, they are far from ideal. They are not only ineffective as a means of fraud protection, but also add hurdles and frustration to a customer’s banking or payment journey. OTP technology was created to improve the security of static passwords, but the technology is no longer a match for current, sophisticated fraud vectors.
OTPs leave mobile transactions vulnerable to SIM-swap and other attacks, which cost Americans nearly $70 million in 2021, the FBI reported. The reasons they are no longer effective against fraud include:
- OTPs are symmetric, which means that the bank and mobile carrier also have access to the OTP data.
- OTP systems rely on browser-based communications back to the bank, so fraudsters could harvest customers’ credentials and OTPs and immediately try to hack a customer’s account.
- OTP technology is error-prone and not very user-friendly. Many mobile apps do support auto-filling of OTPs sent via SMS, but browser-based interactions still require users to fumble around and find the code, then get back to their banking app and enter it correctly.
FIs should be adopting more modern solutions that balance security and user experience for mobile banking users, such as passwordless and biometric authentication solutions.
2. Securing mobile banking logins with public key infrastructure and passkeys
Another important aspect of mobile banking security is ensuring customers are safe when they log in to their apps. Deploying digital certificates to mobile phones and tablets is one way to allow these devices to be uniquely identified, transforming them into reliable second factors of authentication when customers log in. Each certificate positively identifies a device, confirming a user’s identity and eliminating the need for outdated solutions like OTPs, challenge questions, or device fingerprinting.
Today, companies like Apple, Microsoft and Google are adopting login technology that takes innovation to a new level, called passkeys. Passkeys are a passwordless technology and a more advanced form of multi-factor authentication (MFA) than SMS OTPs. Passkeys are aligned to Fast IDentity online (FIDO) standards and use biometrics to validate the identity of the person signing in. The technology relies on the WebAuthn standard, which enables passwordless authentication and is supported by all major operating systems.
Learn more about passkeys and FIDO in our informative passkeys fact sheet. No email required!
3. Removing unwanted friction by using a layered authentication approach
Using only a single factor of authentication, such as OTPs, puts banking customers’ data at great risk of being hacked. Securing a mobile banking channel with two-factor authentication (2FA) solutions — especially ones that provide out-of-band 2FA through a separate channel — allows banks and credit unions to authenticate online banking logins and transactions, as well as card-not-present (e-commerce) payments, using the same interface. Consumers can transact without having to switch apps to verify their identity, saving them time.
Beyond that, and even better, is multi-factor authentication (MFA), where FIs provide consumers with all the security they need for their on-the-go banking needs. Biometrics is becoming a popular option as an additional authentication layer, as it’s particularly user-friendly and secure. It replaces passwords with a modern passwordless authentication approach. And, since most mobile devices have fingerprint readers and facial recognition sensors, the user experience is hassle-free and doesn’t hinder user behavior when shopping online or paying with their mobile banking apps.
The next innovative shift for FIs to ensure mobile transactions are safe and seamless for their customers is Context Aware™ Authentication — where the context of each customer interaction determines the best authentication mechanism in that moment. Customers get a curated authentication journey, and banks get context-rich, real-time data for each transaction. Win-win!
4. Involving banking customers in securing their online payments
A recent consumer survey conducted with PYMNTS confirmed the growing trend that consumers want to play a more active role in ensuring the safety of their data and accounts.
From the report: "Modern consumers are more informed and tech-savvy than ever before. And they expect a high degree of personalization and convenience." The level of personalization gives them a greater sense of control over their banking. This is even more applicable to mobile banking, as today’s consumers are three times more likely to use a smart phone for online purchases and services.
Today’s consumers are three times more likely to use a smart phone for online purchases and services.
Another way consumers want to be closely involved in security is with their preference for visible versus invisible security measures. And while consumers seem split on whether they want visible or invisible banking security, the answer often lies in the level of trust they have in their bank. For frequent transactions they perform on their smartphones, consumers favor convenience, while with higher-risk transactions, such as a large, once-off payment or accessing their account from a new device, consumers want more visible security to feel assured that their data is safe.