But the internet brings significant security risks, and banks must be able to guarantee that a customer is who they say they are in the face of increasingly sophisticated fraud attempts by cybercriminals who have developed new ways of accessing sensitive information with alarming speed. Clearly, banks must deploy much more than password-based systems in order to encourage more customers to use online facilities and to protect existing internet customers from fraud.
Both Barclays and Natwest have recently announced that they are issuing card readers to customers, indicating the start of a trend toward using strong authentication for all customers, not just businesses or high net worth individuals.
The problem comes with integrating these new technologies into an existing infrastructure. Most banks are already managing a legacy that is comprised of various point solutions that are used to help customers access their accounts via different channels using different technologies. One customer might require a password to use the telephone banking service, and a memorable question for resets or emergency access; another might use a token based on proprietary or OATH technology to access online banking. Similarly, the same institution may, in the future, want to introduce PKI or biometric data to further improve the security of transactions.
Traditionally banks and other financial services firms have built up a collection of point security solutions that are difficult to manage and incredibly costly to maintain. Firms are beginning to realize that there is a need to consolidate varying authentication systems into one single infrastructure that can support different types of credentials, from cards to tokens and interactive voice response technology. Gartner has coined the term “versatile authentication” to describe a platform used to manage all credentials.
A good versatile authentication platform will be based on open standards, so that it can be used as a system “backbone” to manage multiple authentication systems from different providers to maximize investment in pre-existing authentication technologies. This will also enable new authentication methods that may be required in future. This reduces operational and infrastructure costs, and will ultimately reduce the total cost of ownership.
The benefits of versatile authentication are numerous, despite concerns over the impact of introducing new technologies on the user experience. Customers are more likely to put their trust in online financial transactions if they perceive them to be more secure, which will bolster the adoption of low-cost service channels. They will also benefit from a consistent authentication experience across all channels – using their EMV card to access their account via the internet, call center or branch.
In turn, the bank will benefit from the highest possible levels of security and flexibility, combined with lower costs and the ability to upgrade authentication levels to meet market needs.
The concept of versatile authentication also fits neatly with the trend toward a service-oriented architecture, which will improve the user experience in the long run. If a customer loses their EMV card, one single command within a versatile authentication platform should be able to disable the device – regardless of what technology it is based on and the channel through which the customer reported the card missing – thereby cutting down the amount of time spent by staff to resolve the problem.
It's the next logical step for financial services organizations that want to be ahead of the game, and should demonstrate a fast return on investment in the face of impending recession.
ActivIdentity EMEA is exhibiting at Infosecurity Europe 2009, April 28-30, 2009, in Earls Court, London.