Financial institutions are using layered security for identity verification

For consumers conducting online banking transactions, answering what feels like a barrage of questions has become increasingly common. That’s no accident. Financial institutions are implementing comprehensive “step-up” authentication processes that present users with a series of questions to confirm their identity. As fraudsters become ever more sophisticated, strong security is no longer just a matter of entering a username and password.

There’s a compelling reason behind this growing complexity: the need to safeguard financial information is more important than ever, and preventing fraudulent activities is becoming more challenging. The security landscape for online financial information isn’t uniform; it’s nuanced and dynamic.

However, there’s good news. The financial industry is increasingly adept at distinguishing between online actions that pose higher risks and those that require less scrutiny. This means adapting security and online authentication to digital users’ real-time activities, which subjects more sensitive transactions to higher levels of verification and security measures.

 

Step-up authentication

Financial institutions are obligated to reduce risk by monitoring for unusual transactions and patterns of activity within their applications. Two-factor authentication (2FA) is a common security strategy that gained popularity in the mid-2000s, with its origins dating back to the introduction of hardware tokens in the 1980s. Passcode apps, authenticators, web browser plugins, biometrics and other authentication technologies followed. These tools collectively form the foundation of multifactor authentication (MFA), which has become a cornerstone of online security.

MFA encompasses several variations, each with its unique strengths. The strongest authentication typically involves a combination of “something you have” (perhaps a “tokenized” smart device, such as a phone) and “something you are” (such as biometric data). This combination offers robust security compared to relying solely on “something you know,” like a user name/password, and “something you have,” such as a one-time passcode (OTP).

The level of MFA required can vary depending on the context of the user's actions. When initiating a login action, security measures often permit “weaker” forms of MFA, such as combining a username/password with an OTP. This approach is deemed sufficient since, during the login phase, users primarily access read-only data about their accounts.

As users proceed to in-session actions, the risk profile can change dramatically. For example, when transferring a substantial amount of funds – say, $20,000 – the security posture needs to be enhanced. This transition triggers a step-up authentication with a second layer of verification. This typically involves stronger methods, such as biometrics or hard tokens, to further secure high-risk transactions.

Security questions are being phased out in favor of more robust authentication methods, because the “something you know” aspect of security questions can be compromised. Instead, financial institutions are opting for authentication mechanisms that offer higher levels of security and enhanced protection against fraudulent activities.

Past transaction data reveals distinct behavior patterns that indicate heightened fraud risk. This historical information, along with device data, plays a critical role in assessing and mitigating risks during the login process. A banking institution may appear to ask only for a username/password when logging in, but behind the scenes, sophisticated systems have collected device information and established patterns of typical behavior to ascertain that users are who they say they are. This process helps streamline the login experience, reducing friction for users.

Once these systems have confirmed the user’s identity based on historical data and device information, they may only require a username/password for access and refrain from requesting additional information, such as an OTP. This approach optimizes the user experience while maintaining a high level of security.

 

Respecting the user experience

The effectiveness of these approaches relies heavily on their implementation and acceptance by the user base. When exploring online security measures, considering the impact on the user experience is key to the success of implementing and maintaining new strategies. Authentication must be practical and accessible, or users will be reluctant to embrace it.

Most, if not all, means of authentication have limitations that discourage some users or make adoption impractical for some use cases. For example, physical tokens can be lost or broken. Workplaces that restrict access to smartphones can’t use authentication apps, and may not be able to use phone-based passcodes. Some users reject biometric authentication because they perceive it to be an invasion of personal privacy.

In their frustration, users can reject security measures they don’t like, effectively canceling any added security benefit. Even worse, users may opt not to add a second-factor authentication, like an OTP, since many financial institutions make 2FA optional instead of mandatory (for fear of alienating end users).

To maximize user adoption, financial institutions should aim for a balance between the highest security and the least friction possible. This approach reduces the number of consumers who reject security measures or adopt unsecured workarounds.