Zero trust

Using authentication to ‘balance’ customer security with convenient access

A video monitor displays attendees as their images are captured with CyperLink's facial recognition during CES 2020 at the Las Vegas Convention Center on Jan. 8, 2020. (Photo by David Becker/Getty Images)

In the arms race that has been financial IT security management, customer authentication is proving to be a most valuable weapon, and one that’s constantly evolving, according to Meg Anderson, chief information security officer for the Principal Financial Group. 

Speaking Tuesday at the SC Finance eConference online, Anderson discussed how her 142-year-old financial planning, investment and insurance firm “balances” the demands of its 49 million customers while keeping their accounts and private data secure.

“We have to think about what is behind the authentication, protecting the finances and information of the customer, as well as our own intellectual property,” Anderson said. 

This can be a particular challenge for a financial firm like Principal Financial Group because, as Anderson added, retirement accounts tend to have more money than checking accounts and [customers] are looking at them less frequently,” leaving the door open to greater potential for financial malfeasance to go undetected if proper security controls are not enforced. 

“Some customers would just shy away from accessing their information online due to [perceived] security risk,” she said. However, in this recent pandemic environment, more customers have chosen to embrace online and mobile access, since in-person options were limited. Hence, Anderson said it has become increasingly necessary not only to implement more seamless authentication controls like face or finger biometrics — to which customers have become accustomed in other mobile and online applications — but also for Principal Financial Group to “communicate more with customers to assure them the process is secure.”  

In many cases, this customer communication is often the basic security blocking-and-tackling of giving customers “guidance on how to create a strong password, not to make it easy to guess or use it across multiple sites... use upper- and lower-case letters and different characters.”

On a positive note: while Anderson pointed out that a decade ago, chief information security officers (CISOs) might have fretted that it would “frustrate customers if we demanded [more complex passwords and] the use of multi-factor, now they are more used to it and have come to accept it.”  

However, in the interest of making multi-factor authentication [MFA] more user-friendly and broadly accepted, financial service institutions like Principal Financial Group must focus on customer awareness, Anderson said. “Customers may think that they have a strong password, but they may be using it in more than one place... or it was guessable,” she added.

To that end, adding so-called “authenticator” applications (with QR codes, such as Google Authenticator) and facial or thumbprint biometrics is helping “to make sure customers get the right experience,” Anderson said, “using these solutions [customers get] a more frictionless authentication.”

Not only can a more complex and difficult authentication cause the customer frustration, it can create a false confidence.

“It makes them think, ‘I had to jump through all these hoops, and do all this stuff,’” Anderson said, therefore they believe their authentication and access is invulnerable. 

At the same time, financial service institutions (FSIs) do not want to take away the brand value in knowing a customer and communicating with that customer to provide a better experience, she said. Hence, Anderson said, good security hygiene here often comes down to knowing “what’s normal behavior for each customer, and what seems unusual.” In this respect, using authentication indicators related to geolocation, keystroke entry and other indicators remains an important tell. 

“Biometrics and broader [use] of authenticator applications will continue to expand,” Anderson predicted, adding that email-based authentication can often be compromised. “Time will tell. We’re removing the friction from the experience... to delight customers. Some will be more hesitant than others.”  

prestitial ad