Multi-Factor Authentication – Widely Adopted, Effective Protection

Static passwords alone are no longer a viable tool for identifying customers. With payments fraud rising year after year, and consumers becoming more comfortable with making payments online, the importance of authentication has never been more crucial.

Studies indicate that approximately 80 percent of today’s data breaches are the result of weak passwords. The wide-ranging fraud schemes centered on deceiving consumers into providing sensitive personal information, have supplied fraudsters with an assortment of real and fake customer data points, which has fueled the uptick in identity theft and subsequent Account Take Over (ATO) tactics.

Multi-Factor Authentication (MFA), interchangeable with ‘two-factor authentication, offers one of the many protection layers for customer verification and is one of the most powerful and cost-effective means for identifying users—both digitally and physically.

There are three main variants associated with MFA: something that is identifiable (like a PIN or Password), something in possession (like a phone), and something characteristic (such as fingerprints).

Here are five commonly accepted and effective authentication methods. We’ll briefly explore these methods and the pros and cons of each.

Short Message Service (SMS) OTP involves sending a unique one-time-passcode (OTP) or text phrase to a mobile device to confirm access or verify financial transactions.

  • Pros: Considered the most easy and effective authentication method. They also are very cost effective, and universally accepted worldwide.
  • Cons: Requires physical possession of, or close access to a phone, laptop, or mobile device. Also, codes usually expire within very short time spans.

Push Notifications send a notice to an application prompting the user to approve access attempts. Notices regularly provide data elements (time, location, and device type) for validation before acting.

  • Pros: Allows for swift authentication and has proven to be the most effective practice for combatting email attacks (phishing) and impostor attacks (man-in-the-middle). They are also fairly cost effective to implement.
  • Cons: Requires a certain security token type for deploying data exchange. Users must have and maintain devices that allow for hosting the application(s) and aiding general interoperability.

Biometric Authentication is dependent on unique biological characteristics and traits (fingerprints/facial features/eyes) to verify identity.

  • Pros: Makes for stronger and more frictionless validation and is becoming a more accepted method for user authentication. It requires no memorization of PINs or passwords.
  • Cons: Privacy concerns are fueling slower user adoption. Also, collection and data storage are rising consumer concerns.

Behavioral Authentication (BHA) verifies a user based on recorded device interaction, such as how the device is held and the cadence or pressure points when typing.

  • Pros: Provides a mostly secure and unnoticed authentication method and is hard to counterfeit. BHA offers a relatively frictionless mode of authentication.
  • Cons: Somewhat dependent on the user’s physical and emotional state of behavior. Also, users have concerns with data collection and storage and privacy invasion.

QR Codes are used more often for financial transaction verification, access to website applications and related information, restaurant menus, and enabling devices to act as TV channel remotes.

  • Pros: Provides simple authentication and integrates easily with other security tools. Also, most consumers already have the required device(s) and hardware for authentication.
  • Cons: Not a widely used authentication method and strongly dependent on device and a QR Code application download.

The benefits and negligeable cost of MFA are clear when weighed against the risk (both tangible and intangible) and associated cost of a data breach stemming from weak and compromised credentials. Criminals are getting more sophisticated. Fortunately, the technologies for matching their persistent fraud schemes and thwarting their attacks are up to the challenge.

Alan Nevels is senior vice president of card risk and merchant services at ICBA Bancard.