By Baldeep Dogra, Director of Solutions Marketing at Blackberry
For over 50 years, a password and a username have been the fundamental and largely unchanged model for identifying and verifying users – both in the financial sector and beyond. Nevertheless, there are drawbacks to this strategy, which can certainly be seen in the financial sector.
Firstly, employees often prove unable to use usernames and passwords safely enough to protect their data. Indeed, 94% percent of financial services’ IT managers are not fully confident in the ability of their employees, consultants and partners to adequately safeguard data. This was revealed in a survey conducted by BlackBerry of 500 financial services IT professionals across six countries in North America and Europe.
Furthermore, complex and long usernames and passwords are not user-friendly. This leads to an area of tension: how do we balance user experience (UX) with security? For example, ‘Waiting phrases’ are more secure than the familiar ‘passwords’, but with the advent of mobile devices and apps, user preferences have shifted. Nowadays, users want fast and practical access – passwords seem too long and impractical.
The consequences of these drawbacks can be severe, especially within the financial sector. If safety guidelines are breached and sensitive data is compromised, the company is vulnerable not only to damage from competitors or criminals, but also to violation of GDPR. This is not to mention considerable damage to its reputation and the subsequent loss of business.
Fortunately, an approach is emerging that can take away the concerns: Artificial Intelligence (AI). The emphasis shifts from recognising usernames and passwords to recognising the user as such. Here, AI techniques are applied to gain insight into how verified users deal with business apps, data and services. For example, cybersecurity professionals in the financial sector can detect when malicious users or malware attempt to access data.
The different, individual techniques that can all work together to identify users generally fall into two main categories:
– Continuous authentication – Unlike password-based authentication and other two-factor authentication (2FA) techniques, continuous authentication uses techniques to compare the user’s behaviour during each session with existing (learned) models of past behaviour. Continuous authentication also looks for abnormalities that may indicate that the session has been taken over by an external threat. These techniques include, for example, biometrics (by looking at typing speed and mouse movements) and transactional behaviour (such as transactions and associated amounts).
– Contextual Awareness – This approach is based on understanding the context of a particular session or transaction and then aligning it with security policies. The security policy performs context-based checks and can then take appropriate action. This typically includes both the physical (e.g. device/network used, time of day, location, etc.) and transactional contexts (e.g. transferring or recovering amounts).
From the user’s point of view, the great advantage of the above techniques is that they do not need to perform any additional actions to authenticate themselves. The techniques make automatic and continuous authentication possible. At the same time, it can adapt to the user’s context, while the user concentrates on their work tasks. For example, less strict authentication is applied when a user is working within a context with a lower risk, such as routine transactions.
Zero Trust design
The application of these techniques can lead to a user experience that rarely requires a password. Authentication is then only requested when the risk of the context is too high. At the same time, the bar for cybercriminals is considerably higher because they have to navigate through multiple layers of behavioural and contextual risk assessment. They need to do this continuously, with an increasing degree of control as the transaction risk increases.
Incidentally, this does not mean that implementing these authentication techniques goes without a hitch. For example, changes in apps and services are needed to integrate these new techniques. This is even more complex than building a login page to collect passwords and send messages. However, this challenge can be overcome by using a platform-based approach. This is in contrast to an individual approach in which individual apps and services are tackled each time.
A new era of security
Although strong usernames and passwords have long been seen as the best way to protect the financial sector, they are too vulnerable in themselves, especially when it comes to securing the data the sector owns. Using AI, cybersecurity professionals are working to develop more legitimate authentication techniques tailored to each individual user. By recognising behaviour instead of log-in data, users can rely more on the security of their finances and data. This frictionless experience ultimately means the best UX whilst assuring security and privacy and delivering optimised productivity.