Guest contributor |
Financial services organisations are among the most common targets of cyberattacks, with threat actors ranging from individual scammers to highly organised cybercriminal groups that attempt to exploit and disrupt the sector. Cybersecurity is therefore a vitally important consideration for financial institutions and their clients to prevent fines and reputational damage, and ensure confidence and ensure confidence.
For years, usernames and passwords have been the go-to method for securing our digital identities, and most US banks still rely on this method. However, everyone has moments where they are vulnerable to attacks exploiting their biases, and the challenge with using passwords is that users can quickly get fatigued. Constantly creating and keeping track of the burgeoning number of passwords needed to navigate the myriad systems they interact with daily is a task that leads to many users seeking workarounds.
Fortunately, as technology advances, so do the methods available to authenticate users securely. This is why passwordless authentication is growing in popularity among organisations, because it eliminates many of the pain points and costs that come with managing passwords in an enterprise-sized organisation. One increasingly popular method is passkeys, a replacement for passwords. Offering enhanced user experience, security and scalability, passkeys are helping improve authentication and paving the way for a passwordless future.
Passkeys are a more secure and easier option than passwords. With passkeys, users can sign in to applications and websites via biometric credentials such as a fingerprint or facial recognition, a PIN code or a pattern, meaning they no longer have to remember and manage passwords.
The Fast Identity Online (FIDO) Alliance is at the vanguard of passkey technology. FIDO standards, such as FIDO2 and WebAuthn, facilitate secure authentication mechanisms by enabling passwordless logins via biometrics, USB tokens, or mobile devices. By eliminating the need for passwords altogether, FIDO standards mitigate the inherent vulnerabilities that go hand in hand with traditional authentication methods.
While all types of passkeys serve the same purpose – eliminate passwords - there is some variation in how they can be stored and managed which impact the way Financial Services should use them. There are two categories: synched and device-bound.
Synched passkeys are synchronised between user devices via a cloud service, which can be part of a given device’s operating system or third-party software. This allows users access to their credentials seamlessly across multiple devices. Whether logging into a website on a laptop or accessing an application on a smartphone, synced passkeys ensure a consistent and frictionless user experience.
Device-bound passkeys are tied to specific hardware, such as a smartphone or a USB security key. By leveraging the unique characteristics of each device, these passkeys boost security by adding another layer of protection against account compromise. This type of passkey also reduces the reliance on centralised servers, mitigating the risk of data breaches and server-side attacks. Last but not least they fully comply with regulation such as PSD2.
While synched passkeys are good alternative to passwords for moderate assurance use cases such as login to web resources, banks should also enable device-bound passkeys for high assurance use cases requiring Strong Customer Authentication (SCA) or Multi-Factor Authentication (MFA), such as customers operating a final transaction or employees or business partners accessing sensitive digital resources of the organization. A good benchmark for banks in the U.S. is the PSD2 regulation in Europe. Synced passkeys, while great for user experience, cannot fully match the stringent SCA requirements.
To ensure a smooth and secure transition, financial services companies should adopt Thales’ Passwordless 360° approach, which provides a comprehensive framework for planning and evaluating passwordless implementations.
Key steps of the Passwordless 360° approach include user ecosystem mapping, in which internal and external users, including employees, customers, partners and suppliers, are charted. Organisations should evaluate their access levels, transaction types and associated data sensitivity, a process which will expose potential security gaps in current and planned passwordless coverage.
Next, the organisation should establish risk-based assurance levels by determining the appropriate authentication strength for each user group. High-risk scenarios necessitate robust multi-factor authentication, such as using hardware keys in combination with biometrics. For low-risk access, however, streamlining authentication may be more convenient.
Finally, overlaying existing passwordless deployments onto the map highlights any remaining vulnerabilities. For example, strong authentication for internal supply chain staff might not address equally sensitive access by external collaborators.
Overall, the Passwordless 360° approach empowers IT leaders to visualise complex passwordless needs, justifying investment to stakeholders and prioritising a phased rollout for maximum impact. By adopting the holistic Passwordless 360° approach, businesses become more resilient against cybercriminals’ evolving tactics.
It’s time to move into the future of authentication. With FIDO passkeys, financial institutions can enjoy the unbeatable combination of security, usability and trust they provide.
Discover more about the Passwordless 360° approach on Thales’s website
Haider Iqbal is identity and access management product marketing director at Thales
Discover more insights like this in the Winter 2024 issue of Technology Record. Don’t miss out – subscribe for free today and get future issues delivered straight to your inbox.