Consumer adoption of mobile technology has occurred at rates faster than any other previous technology adoption and businesses are struggling to keep up.
Previously, when a financial institution was going to add a new product or service, it took 6-12 months of multiple layers of scrutiny to insure the new offering fit well into the previous product mix and fulfilled all regulatory and compliance requirements.
Financial institutions no longer have that luxury. Traditional financial institutions – banks and credit unions are facing ever-increasing competition from online banks without branches, and mobile-only banks are about to make their debut. Consumers are demanding new ways to perform transactions, and FIs are accelerating their technology adoption and app creation to keep up.
Regulators, too, are trying to keep pace, which is why it isn’t surprising that EU, the Federal Financial Institutions Examination Council, and New York State have already put stronger cybersecurity rules to ensure that the greater technological and product-focused risks are paired with strict consumer protections. As most of the world’s financial institutions have representative offices within New York City, even this seemingly local regulation will comprehensively affect almost all FIs.
All three regulators directly address the requirement to use multifactor authentication to protect against unauthorized access of confidential, PII, and other protected information, as well as to reduce and mitigate transactional risk.
If even traditionally slow-moving regulators are saying that single-factor authentication isn’t enough, then it’s definitely not enough.
Traditionally, multifactor authentication comes in different flavors – something you know, something you have, and something you are.
Something you know are usernames and passwords, combined with security questions, like the name of your first pet. By now, we’re all aware of the inadequacies of this type of multifactor authentication. Brute-force attacks, regular theft of consumer data, including passwords, provides enormous opportunity for broad-scale financial fraud from “existing” customers.
Something you have is a mobile device or a coded key fob. The key fob is on its way to the same place as the buggy whip. Companies are sending security codes via mobile, which is great as long as the mobile hasn’t been compromised or simply lost.
Something you are is a more advanced level of multifactor authentication – fingerprint, retinal scan, and facial recognition. However, even this is flawed. Sophisticated malware doesn’t go into effect until after the one-time multifactor authentication is performed.
A new technology now can dynamically identify characteristic not of what you are, or what you do, but how you do it. We all hold our mobile device at different angles, touch the screen with different finger pressure, and type at different speeds. Behavioral biometric authentication analyzes how you interact with your device to confirm your identity.
Behavioral biometric analysis delivers added value because it is done continuously and invisibly behind the scenes. While it’s easy to hack a username or password, it’s impossible to mimic behavior. With continuous behavioral biometric authentication, lurking bots can be immediately caught and stopped because the analytics engine automatically recognizes the sudden transition from the right person on the device to the wrong person, immediately preventing access.
The entire spectrum of regulatory agencies agrees that multifactor authentication is an essential way to strengthen security. Behavioral biometrics does it with the least hassle and the strongest results: significantly reducing risk and delivering a competitive edge by allowing your customers to perform higher-risk transactions than other financial institutions.