FIDO – Passwordless Authentication with Privacy Priority
You are probably familiar with the following scenario: you travel to another country and want to withdraw cash from an ATM. You enter your personal identification number and wait. The machine issues the sum you requested. The next day, you want to use the same card to pay in a shop. However, you discover that your card is now locked. After calling your bank, you realise that this was simply a security measure because your card was assumed to have been stolen. This is not only inconvenient but also annoying. And now, picture the same thing happening with your online banking. This is the worst-case scenario. However, you will no doubt have had the experience of being automatically logged out of your account. Although far less irritating, this still needs to be more convenient. This everyday example shows how security often takes priority over a seamless user experience. However, continuous authentication offers banks a solution that guarantees secure banking and improves risk evaluation. Read on to learn what makes this security system indispensable.
Continuous security for banks with continuous authentication
Continuous authentication is a security concept that can be used, for example, to validate an individual user during a banking session continuously. In this case, it allows the identity of the user and the end device to be checked in the background without interrupting the banking session. Therefore, This type of authentication provides an additional security level since passwords, PIN codes or biometric features (such as fingerprints) can be intercepted by cybercriminals, who can bypass ‘simple’ authentication procedures.
The area of continuous authentication covers a range of technologies that are mostly based on machine learning (ML), biometrics and different behaviour patterns of a bank customer. In this way, biometric behaviours such as typing speed or mouse movements can be integrated downstream of multi-factor authentication, which uses different factors to verify a customer’s identity. During the account session, the system then continuously scans for any significant changes in customer behaviour that could indicate an account takeover. Furthermore, context-based factors are frequently used to establish a user’s identity. Key factors in this regard include the device location (geo-location and geo-velocity), the IP address or the device type.
Many cyber risks – one concept
For banks, the implementation of the continuous authentication concept delivers enhanced security because it allows them to recognise suspicious activities or unauthorised access to an account more quickly. If a customer’s typing speed deviates dramatically from their ‘normal’ behaviour and if this is accompanied by an unusual or unknown location, this is generally an indication that someone other than the ‘real’ customer has logged into the account. This increases the risk score, and the bank system can request additional customer authentication.
These days, it is essential to adapt to dynamic cyber threats: organisations must be able to react flexibly. The advent of increasingly easy-to-use tools based on artificial intelligence (AI) has made it easier for cybercriminals to adapt their methods flexibly.
The security concept can help to contain typical fraud cases such as account takeover, phishing attacks, identity theft or account opening fraud.
A real-life example – account takeover by cybercriminals
Account takeovers are when fraudsters take control of a bank customer’s account in order to transfer money. This can be done with the help of stolen credentials, credential stuffing or, for example, remote access Trojans (RAT). In both cases, cybercriminals often manage to bypass traditional authentication methods.
Mobile banking fraud, in particular, has increased in the past. Here, criminals use social engineering attacks to trick users into downloading an app onto their mobile phones. These fake apps are frequently offered on popular portals such as Google Play. Once the app is downloaded, the door is wide open for the fraudster because the app contains a remote access Trojan that takes control of the device. This allows hackers to intercept not only login data but also one-time passwords (OTP) to gain access to the bank account.
These attacks are often detected too late, giving the criminal time to empty the account.
However, continuous authentication can be used to detect that the person wreaking havoc on the account is not the ‘real’ customer. Behaviour biometrics during the login can detect a significant difference in typing speed, for example. Cybercriminals also often use copy-and-paste techniques instead of triggering a transaction by typing manually. If several divergent patterns coincide, there is a high risk that a fraudster is at work. The bank can then require re-authentication or cancel the transaction altogether.
Security vs user experience
Security should always be the top priority for banks. However, the customer experience should be addressed. The implementation of continuous authentication significantly improves both security and the customer experience. It makes complex passwords that users have to remember obsolete. There are no interruptions due to additional authentication steps because the authentication is performed in the background. This focuses on protecting the customer without compromising the customer experience with constant security measures.
