To better protect consumers from identity theft and fraud, all financial institutions use multifactor consumer authentication (e.g., systems such as an ATM card plus a PIN). These systems use what you have -- in this example, a card-- as an authentication method and then what you know -- in this case, a PIN -- as a second method. This serves as a layered defense to allow authenticated consumers to view their online financial accounts and transactions.
Multifactor authentication is achieved by combining two or three independent credentials to identify a user: what you know, what you have and what you are. A single authentication based on what you know is not enough to protect the user.
There are several types of multifactor consumer authentication technology from which to choose. This tip will briefly touch on the various flavors of the technology, the pros and cons of each and how to know which type is right for your financial services organization.
What to consider
Consider the following multifactor authentication schemes:
- Fingerprint on smart card
- Biometrics for secure mobile phones
- One-time password (OTP)
- USB PKI with biometrics
Fingerprint on smart card
One way of better securing the smart cards if lost or stolen is to add the customer's fingerprint to them. The upside of the technology is that the fingerprint is difficult to duplicate. No fingerprints of each individual are exactly alike.
The downside is that although a fingerprint-based system is the most common form of biometrics, it is not 100% reliable. There are a few instances where fingerprints are difficult to scan (e.g., genetic defect) The system is frequently configured with a backup authentication mechanism -- such as a PIN or password -- that can be entered in the event that the bank can't get a good scan. This additional feature, however, may raise the costs of financial services for consumers.
All financial institutions must comply with the IASC X9.84 Biometric Information Management & Security for the Financial Services Industry on securing biometric information. Banks should consider storing customers' fingerprints on a smart card for use with the ATM machines.
Biometrics for secure mobile phones
With biometrics on the mobile phones, consumers can securely view their account balances, pay bills and transfer money using mobile applications. Users have a choice of swiping their fingerprints on a scannable area on the phone or a scanning device connected to the phone. This feature differs from the way a fingerprint is stored on a smart card in that the ATM machine is used to verify that the fingerprint is indeed the owner's.
The upside is it is more convenient for the customer to use the mobile phone tied to biometric data while he or she is on the raod. The downside is that it is a bit inconvenient to plug in a scannable device to the mobile phone or clean periodically the scannable area on the phone.
Banks, credit unions and investment securities firms should consider tying a secure mobile phone with biometric data to a person to help prevent a thief from accessing financial applications posing as the phone's rightful owner.
For financial services consumers, a OTP will make it more difficult for a thief to gain unauthorized access to their online accounts -- by altering the password after each use. The first type of OTP uses a mathematical algorithm to generate a new password based on the previous passwords while a second type is based on time synchronization between the authentication server and the client providing the password. The third type uses a mathematical algorithm, but the new password is based on a challenge and a counter instead of being based on the previous password.
The upside is that by constantly altering the password, the risk of the password being stolen can be greatly reduced. The downside to OTP is that it comes with significant costs to implement; new hardware tokens need to be supplied to consumers, and the financials involved in training consumers can also be steep.
USB PKI with biometrics
For online transactions, banks and credit unions may consider such a hybrid USB and biometric device as a PKI client that consumers can use to authenticate to PKI systems. The consumers can plug in the device to their laptops to access the laptop with biometric data and then authenticate to the PKI system.
The upside is that biometric data needs to be verified before a consumer can authenticate to the PKI system. The downside is that if fingerprint is not scannable, then it is not possible to use USB PKI.
Moving up to three-factor authentication would make it easier for financial institutions to protect consumers against identity theft and fraud by using all of three technology methods mentioned above. Authentication methods using biometrics must be configured with a backup authentication mechanism in case, for example, a fingerprint is not scannable.
About the author:
Judith M. Myerson is a systems architect and engineer. Her areas of interest include middleware technologies, enterprise-wide systems, database technologies, application development, network management, security, information assurance, financial, RFID technologies and project management.