Why Mobile-Based Password-Free Authentication is the Future for Finance

If today’s fintech sphere relies on one thing, it would be smooth and unfettered digital access.

The fast pace of financial transactions and commercial activity means financial institutions need to give their clients and employees ways of moving funds and authorizing actions in a seamless and reliable way.

When it comes to handling digital access, referred to in the industry as Identity Access Management, or IAM, a schism has always existed between two competing considerations: ease of use and security.

Nowhere is this conflict more pronounced than in the financial sector.

The Security End

 With so much at stake, banks and similar institutions need to ensure identities are properly safeguarded. The slew of cyber attacks regularly targeting these organizations (of which many if not most are attempts at circumventing authentication measures) demonstrates this all too painfully.

The understanding within the sector of the need for better authentication practices is growing. We can see this reflected in the latest regulations pertaining to fintech and IAM. The Payment Card Industry Data Security Standard (PCI DSS) now requires MFA around applications and infrastructure supporting and processing payment card data. Similarly, new mandates from the New York Department of Financial Services (NYDFS) require certain covered enterprises to move beyond legacy authentication solutions and implement robust authentication protocols that support MFA and a federated architecture.

The latest milestone in this trend of evolving IAM standards was the release of a report by the National Institute of Standards and Technology (NIST) on Digital Identity Guidelines. NIST’s Special Publication 800-63 wipes away most old password rules and places the burden of securing access in the hands of identity protection technology. For all federal agencies and government suppliers, NIST standards mandate the use of Multi-Factor Authentication (MFA) for privileged access and remote access to the network  

In an effort to address today’s risks nearly all standards have recognized that we can no longer secure access to networks with single-factor authentication like simple passwords.

The User End

 On the other hand, the financial industry cannot be expected to set up too many barriers to user access. Complex and cumbersome access protocols inevitably result in employee downtime due to troubleshooting, high costs in help-desk tickets, and of course clients annoyed at being denied access to their accounts and assets

Password-less BYOD: the Way of the Future  

 What the financial industry needs is a model that can transcend the user experience-security schism, a solution that can offer both seamless access and strong security.

The little known secret is that nearly all employees of financial institutions as well as their clients, already own at least one powerful cryptographic device.

You guessed it: their smartphones.

Personal phones can be leveraged into creating a robust and easy to use, password-less authentication system for nearly any financial institutions. Known as “Bring Your Own Device” or BYOD, the system circumvents all of the security and logistical challenges associated with traditional authentication models. All of this leaves enterprise networks safer--and with substantially lower operating costs.    

The benefits of integrating the BYOD scheme into networks are essentially three fold:

Better user experience - no one needs to be taught how to use their smartphones. Password-less solutions such as push notifications and similar applications can be streamlined into large scale use with relative ease and speed.

Minimizing costs - BYOD means users are already equipped with the necessary hardware. This means no need to invest in expensive devices that are needed for other authentication alternatives such as hardware tokens and biometric sensors. Additionally, companies will save on resources that go to help desk calls as well as the employee downtime and man hours of fixing account lockouts and resetting passwords.

More secured – Tying digital access to a physical device (that users are already carrying around with them) means authentication cannot be attained through credentials alone. Eliminating passwords from the equation means that there is nothing for potential attackers to steel in order to gain illicit access. Furthermore, password-less apps are far better at protecting against hackers’ attempts to intercept communications and impersonate digital identities.

Password-less BYOD is the next big step for the fintech industry. The BYOD approach to authentication is a win win scenario that both supports the authentication needs of the modern financial institution while reducing cost and improving user experience.