New ways of authentication
In less than four years, internet and mobile banking applications went through an enormous growth. Over 70% of all transactions in Belgium are made via a PC banking application and the number of transactions made via tablet or smartphone grew from 3% to 16% in 2014.
When looking at the number of authentications in Belgium, there are more connections made via tablet or smartphone than via a PC Banking application. In the group of young people between the age of 16 and 24, even four out of five actively uses mobile payment applications. These changing preferences combined with emerging technology force financial institutions to take a closer look at how they identify and authenticate mobile banking users when they log into their account. By replacing usernames and passwords with systems that can instantly recognize biometric identifiers or sync with wearable devices, these financial institutions are installing stronger safeguards and limiting the risk of fraud, while removing obstacles from their log-in experience.
Sia Partners believes that the future of authentication, lies in finding the right balance between user-friendliness and security. Banks should not try to protect every part of their application as tightly as another, but identify different authentication categories within the same application.
- Light authentication: for basic information such as consulting your balance and providing "push" alerts when your balance goes below or over a certain amount, a very light authentication is required. An application can for example give access without any password if the device is recognized or after a first activation when setting up the account.
- One-Step Authentication: one method of authentication that is required for access to more secure transactions or information, such as low value transactions or transactions to known beneficiaries.
- Two-Step Authentication: this method of authentication is a combination of two or more independent elements, something that the customer knows (a password), what he is (biometrics) or something he owns (a card reader or a text message to his mobile phone for example). This is the most secure, yet time consuming way of authentication and can be asked in order to subscribe to new products, add unknown beneficiaries and so on.
The ultimate goal of new biometric technologies is to provide a one-step authentication that is more secure than the current two-step authentication methods.
Alternative ways of authentication
A first alternative to the traditional card reader, is a simple password. After a first registration with the card reader, the user can choose a password consisting out of four or six numbers with which he can confirm payments in the future without any other way of authentication. Belgian applications Sixdots and Bancontact among others work with this form of authentication. Banks such as Citigroup and JP Morgan are even working with mobile and smartwatch applications that - after a first registration - need no authentication to access information such as the account balance or the history of payments.
The Apple Touch ID or Samsung's Finger Scanner gave banks the opportunity to introduce fingerprint authentication in their mobile banking applications. For example ING Belgium, Apple Pay, Credit Agricole and many others now support this in their applications. Another popular new way to authenticate clients, is voice recognition. Barclays, Tinkoff and Investec are enrolling a voice recognition software in their call center, that affirms callers' identities as they carry on a conversation, relieving the financial advisors of annoying challenge questions or passwords. Some French online banks, such as Fortuneo or La Net Agence of BNP Paribas, also demand a vocal signature when signing up. As the majority of customers only access the mobile banking application through their own phone, some banks have installed a mobile phone verification. The bank prompts users to sign up for the app with their phone number, which sends them a confirmation code via SMS. When the application is in use, it checks then if the phone number of the phone used matches this information.
Future of authentication
But financial technologists continue to investigate more innovative methods. Halifax is working on a wearable device that lets users unlock their application using the unique pattern of their heartbeat. Barclays is testing the finger vein-ID reader, that makes an infra-red scan of the unique vein pattern that lies just below the skin surface of everyone's fingers. Another alternative is behavioural biometrics, that looks at the gestures and speed with which users key in information such as their password to differentiate a real user from an imposter. Banks finally are also reported working on facial recognition or applications that use an iris scanner, backed by Fujitsu who is developing an iris scan for smartphones based on infrared light.