The Authentication Conundrum

Rob Griffin

John Ferguson

By John Ferguson, Chief Risk Officer at Cashfac, and Rob Griffin, CEO at MIRACL

The modern business landscape, to cybercriminals at least, is a land of opportunity. At every turn, paths lead to low hanging fruit, easy pickings, and most tempting of all, the gold at the end of the rainbow. To cybercriminals, financial services and fintech industries data is that gold. A brand new FS-ISAC new report found a growing list of cyber threats facing financial institutions in 2022, including third party risk and ransomware.

Fintech is a sector which, by its very nature, money flows through. Money attracts attention from cybercriminals, and the fintech industry is then charged with responding in kind. One major way that they can take control of their security is to appropriately guard the gates to the kingdom, with authentication. The current widespread authentication methods which we use – namely, passwords – to not meet the rigorous standards our industry upholds, both from a security and regulation perspective. Therefore, we need to turn to authentication alternatives. In this case, that alternative is a programme of multi-factor authentication.

Security and compliance in fintech: Ensuring customer safety

In an industry such as financial services, effective authentication security is necessary for two main reasons: To ensure that their clients, network and operating systems are secure, and to appropriately match any regulatory compliances necessary.

The first part of this is self-explanatory: Financial services products, organisations and services exist to facilitate the transfer or management of capital. A failure to undertake a rigorous, robust security posture for companies like ours could be terminal, as it would reflect a failure to safely complete the very function of our business, and would therefore reflect an immediate loss of reputation with our customers; Particularly if their assets were not simply stolen orput beyond use, but appeared for sale on dark web marketplaces where they can be purchased by further threat actors, to increase even more damage.

The second part is somewhat more complex. Regulations differ from industry to industry, and country to country, and failing to adhere to them will almost certainly result in a significant fine or loss of license from the associated regulatory bodies.

In this instance, we are going to focus on just one example: PSD2. PSD2 is a European regulation for electronic payment services. It seeks to make payments more secure in Europe, boost innovation and help banking services adapt to new technologies. In practice, this means that fintech companies such as ours are tasked with ensuring that our products meet the new standard for access and payment validation: specifically, multi-factor authentication, and making sure that the people authorising payments or accessing accounts are who they say they are and leave an indelible record of their actions. This is where partnering with a trusted MFA/authentication partner can give fintech providers, and their customers, the assurances that they are compliant with the relevant regulations, and secure. However, this is just one part of the conundrum.

Access and authentication for Fintech: A tightrope

Multi-factor authentication is a great tool for helping financial service organisations to ensure that they remain compliant with relevant legislative directories, and secure from the cyberattacks we know are constantly targeting end users trying to access their corporate networks. But if not done correctly, it can create friction between employees trying to complete their job functions, and IT teams seeking to authenticate. In our industry, it is of crucial importance that things happen smoothly and quicky, as well as with security and compliance accounted for.

The best authentication partners will understand this: They will understand fraud protection steps need to be taken, but also recognise that making this system as simple as possible, from training and onboarding through to deployment and customer integration, is the best way to keep fintech customers happy.

Concluding remarks: Authentication without friction as the gold standard

The financial services industry is going to be targeted in 2023 and beyond. Cybercriminals will continue to find new and inventive ways of helping themselves to or blocking access to an organisation’s data. Additionally, regulators will continue to impose new forms of accountability for the industry to adhere to as the financial repercussions of cybercrime continue to spiral. As a result of this precarious landscape, every login counts. Making sure that people can log into their online accounts with as little friction as possible, and with as much success as possible. Losing customers’ confidence at the point of logging in breeds frustration, which could turn into a customer eventually turning away from this solution. Our current partnership works to mitigate this risk, with recent logins hitting a 99.9% successful login rate.

It is the responsibility of the industry to make sure that they seek out the right partners to support them in this turbulent environment; And the responsibility of these partners to facilitate compliance and assure security, without affecting the function of the business. The right partners can help you to do that.