Threat of the Week: The Rise of Multi-Factor Authentication
Without much fanfare, the biggest banks recently have been taking steps that, if unanswered, could quickly have profound and negative ramifications for credit unions.
“Top-tier financial institutions realize passwords are ineffective due to users picking weak ones. To compensate, organizations like Bank of America, Chase and HSBC allow consumers to opt-in for a second authentication factor using SMS or voice calls to a mobile device,” said John Steven, internal CTO at the Dulles, Va. -based security company Cigital.
In an era of epidemic insecurity, security is primed to win.
It’s not just weak passwords driving the trend.
The upshot is that consumers are being offered the opportunity to opt into multi-factor authentication, at least for some high risk transactions.
“This is coming down the pike fast,” Steven said.
How does it work?
Also of interest:
Transactions such as overseas wire transfers would require the user to provide not just a password (“something you know” in security speak), but also “something you have” and/or “something you are.”
Biometric authentication, a fingerprint for example, could be used to meet the “something you are” requirement.
Keying in a onetime password that had just been sent via SMS to a cellphone would qualify as “something you have” authentication.
“Big banks are making themselves harder targets for criminals,” Steven said. “Criminals are going down the food chain, looking for softer targets.”
And that, suggested Steven, could mean a big red bullseye is now painted on a credit union near you.
“Credit unions don’t do much they are not compelled to do [by regulation],” Steven said.
John Zurawski, vice president of marketing at Authentify, a Chicago based authentication firm, said the migration into out of band authentication already has begun.
“The big banks are doing it now,” he said.
What “out of band” means is using a different avenue to authenticate a user. If the user is in an online computer based banking session, an SMS to his/her cellphone is out of band. Security experts like out of band because the criminal, to dupe the system, has to take over multiple devices.
So what’s holding back credit unions from adopting this?
The answer is user experience, said Neil Hartman, a banking practice lead at consulting firm West Monroe Partners.
“Credit unions have held back because they have not wanted to interfere with the user experience,” he said.
But, he noted, something very big has happened to alter the rules of the game.
“Now we are seeing consumers asking for it,” Hartmann said.
The game changer is an increasing number of consumers who are using multi-factor authentication on leading websites such as Google, Facebook, and Twitter. Their comfort with the technology is growing, as is their confidence that this is a way to make it much harder for a criminal to take control of an account.
Hartman said multi-factor authentication will become the norm very soon.
“Cybercrime is increasingly exponentially. Financial institutions are looking for protection. They need multi-factor authentication,” he said.
Are credit union vendors ready and able to offer multi-factor?
At banking apps developer Malauzai in Austin, Tex. Chief Product Officer Robb Gaynor said multi-factor authentication potential already resides in the company’s apps, and at least one bank has deployed it.
Gaynor added that business mobile customers, using Malauzai’s new business apps, also have access to it.
Doug Brown, a vice president at the Florida based FIS, succinctly responded when asked if his bank and credit union clients are asking for multi-factor authentication tools.
“Yes they are and yes we are doing [it],” he said.
The bottom line is that multi-factor authentication has joined the growing list of security must haves. It’s good for the members, good for credit unions and, ultimately, bad only for cyber criminals.