Banking on a Passwordless Future

By Alex Laurie, SVP Global Sales Engineering, ForgeRock

Two years on from the pandemic, businesses are still adapting to the mass digital transformation brought on by the pandemic. While some initially found the transition to digital operations at times challenging, in general UK businesses have taken the new ways of working in stride.

However, as this technological revolution unfolded, it has brought an onslaught of bad actors looking to exploit the situation. When businesses moved quickly to adapt, corners were cut and unfamiliar operating contexts emerged, leaving gaps for opportunistic cyberattackers to bypass defences. As a result, cyberattacks in the UK have remained high.

The finance sector is no exception to this trend. The rise in the use of online financial services meant an inevitable increase in malicious activity: in 2021, 12% of records breached belonged to the financial sector. In an industry so reliant on identity, data, and trust, security teams are faced with an enormous task. So what are they up against, and how can they respond?

The weakest link

Financial services firms had to move fast to adopt online systems in their internal and customer-facing processes. Online services that let you access bank accounts, make transactions and transfer money are now the default customer access channel for most banks, allowing users to access multiple services from one device. Data from the Cyber Security Breaches Survey 2022 found that 82% of UK companies used online banking accounts in 2021, and the percentage of businesses accepting online payments increased to 30%.

However, data also shows that these changes have exposed a risk point. A high proportion of threats across the UK came in the form of phishing attacks, accounting for 38% of all incidents between January and September in 2021. In a time when emails and messages were a crucial line of connection between banks and their online-first customers, notifications represented an obvious choice of attack vector, targeting the weakest link in the chain: human error.

High risk, high reward

To date, the financial services industry has always been heavily regulated by cybersecurity legislation. Multi-Factor Authentication (MFA) is now commonplace across the banking sector, and a good starting place to increase security for users. Adding another layer of protection, MFA requires two or more types of credentials, such as a one-time password, a pin or a biometric identifier. However, financial institutions should not stop there.

The sector needs to adapt their protection to match the increasing variety and sophistication of threats without sacrificing the all important user experience. The cost of getting this wrong can be devastating: financial services data is often highly sensitive and valuable to individuals and malicious actors alike. In this sense, cybersecurity innovation should be seen as a strategic imperative that helps secure customer trust and safeguard the business.

The passwordless future

There are several ways the financial sector can achieve a security posture that is strong enough to build customer trust without forgoing user efficiency. Firstly, it’s important to consider Zero Trust from the outset. Zero Trust starts with the assumption that all access requests at every level should be continuously verified because in the remote- and digital-first era, there are no longer clear network boundaries. While the concept of Zero Trust is primarily applied as a modern approach to access for employees it can also be applied to consumer access across channels like mobile, web and physical banking. Over the past two years we’ve seen a significant convergence in the approach of security access for employees and consumers in financial services.

Starting with Zero Trust as a base, organisations can then use smart tools to streamline access requests, and avoid security teams being overwhelmed. Artificial Intelligence (AI) is a good example. It can be an integral part of a company’s defences when used correctly because it allows a security apparatus to monitor login requests in real time, automatically blocking malicious attacks and suspicious behaviour through learnt patterns, escalating high priority or sensitive requests for human handling where needed. Legitimate users are able to pass through security systems seamlessly, without the need for additional human resources and manpower.

Digital transformation needn’t stop there. The passwordless future is on the horizon, with potential for login details themselves to become a thing of the past – after all, if a password exists, it can theoretically be guessed. Recent developments in FIDO2 authentication has seen tech giants such as Apple, Google, and Microsoft move towards the discarding of passwords altogether. A passwordless future would be game-changing for the financial sector. Not only would this increase the security and ease of online access, but also reduce the value of stolen credentials to attackers.

Banking on tech-enabled trust

Behavioural changes brought on by the pandemic have caused an apparently permanent shift in both how we conduct business online, and how threat actors target organisations. How the financial sector responds to this transformation is crucial – whether that be adopting a culture of Zero Trust, implementing MFA and AI systems, or banking on the passwordless future. This promises not only to protect users in the short term during a volatile period for cyberattacks, but also continually build the trust that is fundamental to the value of the financial services industry.