For years, passwords and PINs have acted as the gateway between you and your money. But as cybercriminals grow more sophisticated, financial institutions have been forced to step up their game.
Banks and credit unions have turned to “multifactor authentication,” the catch-all phrase for using layers of security beyond a password to ascertain that the person accessing your checking account or swiping your card is you and not an identity thief.
How does it work?
Someday, multifactor authentication, or MFA, might happen with a biometric device that reads your fingerprint, scans your eye or scrutinizes your face. Perhaps you’ll wear a secret decoder ring that tells your smartphone that you’re the legit owner of your bank account.
For now, though, MFA takes more mundane forms. If you’ve ever entered your mother’s maiden name on your bank’s website, you’ve seen a rudimentary form of multifactor authentication.
MFA seeks to go beyond just mining the user’s own knowledge (passwords and challenge questions are considered “something you know”) with other types of verification, such as a smart card (“something you have”) or a biometric reading (“something you are”). As they consider this menu of security types, banks also have had to balance the need for tighter security with consumer demand for quick and convenient transactions.
Which institutions use multifactor authentication?
Good luck figuring out exactly which financial institutions use MFA, or what form their authentication measures take. Banks and credit unions are rarely forthcoming about their security measures, fearing that disclosing too much will give the bad guys an edge.
Occasionally, though, an institution will tout its security measures. On its website, CIT Bank talks up its MFA.
Elevations Credit Union, for its part, says its “Enhanced Multi-Factor Authentication” guards against thieves “by providing an additional authentication ‘factor’ beyond username and password.” The credit union says the factor is “a one-time access code that is given to you by your choice of phone, text message or email.”
It seems likely that every institution that handles Internet transactions, including community banks and credit unions, has some sort of MFA in place. Since 2005, the Federal Financial Institutions Examination Council (FFIEC) has urged banks to create layers of security for online transactions. That means MFA is barely more exotic than deposit insurance – which is to say, it’s not exotic at all.
What’s next for this security measure?
The challenges for MFA keep getting more daunting. In 2011, FFIEC acknowledged that security questions asking for personal information are too easy to crack in an era when people post gobs of information about themselves on Facebook and Twitter.
“Institutions should no longer consider such basic challenge questions, as a primary control, to be an effective risk mitigation technique,” FFIEC told bankers.
The same goes for cookies, which seek to verify a user’s identity by checking to see if he’s logging in from the same computer. Cookies are so easily compromised that they, too, have lost value as an authentication tool, FFIEC says.
However, FFIEC seems impressed by more sophisticated one-time cookies that can triangulate a consumer’s identity by looking at a computer’s configuration, IP address and geo-location.
FFIEC’s concern about security authentication is a response to the growing problem of electronic financial fraud. Scammers have stolen hundreds of millions of dollars. The Target credit card breach shows that neither financial institutions nor retailers have have this problem entirely under control.
So what’s next for MFA? In a report for the British Payments Council, futurist Ian Pearson foresees the rise of fingerprints, voice recognition and facial recognition.
The true holy grail, he posits, will be jewelry or even skin implants that can validate a bank customer’s identity.
“We will soon see pieces of security jewelry entering the market for payment authentication, such as electronic signet rings,” Pearson writes. “It is a lot harder to lose a ring than a mobile phone.”
Hands entering credit card information image via Shutterstock.