Reflecting on the future of authentication and the best practices at the core of account security

By Dearbhail Kirwan, operations lead at Edgescan

Currently, customers who suffer financial fraud can trust their bank to refund the lost amount, should their details or identity be stolen. But questions are starting to be raised around users’ responsibilities to maintain their accounts security through strong credentials and simple cyber hygiene practices. Should a failure to enable two factor authentication result in denied compensation after a compromise? Where should the onus and risk of account security fall, customers or financial institutions and retailers?

The role of computer literacy

Computer literacy plays a big part here when looking at consumer practices. Consider a comparison to physical security: it’s fairly widely accepted and practiced that we secure our physical belongings to the best of our ability, usually with locks, alarms, etc., and in terms of protection and compensation such as house or car insurance, negligence on the part of the consumer in this respect can invalidate claims to compensation. It is unlikely that individuals would be as cavalier with giving someone a copy of their keys, or sharing their alarm code, as they appear to be when falling prey to scams online. This brings us back to the persistent problem of education and awareness. Users are not generally wilfully negligent with security, but they tend to be the weak link in the chain due to lack of awareness or know-how when it comes to securing themselves, a problem which is further amplified in demographics with lower levels of computer literacy. This can then also have the additional adverse impact of making institutions less willing to embrace more secure practices for fear of losing customers due to a perception of difficult or complicated procedures, which would lead to a vicious cycle of poor awareness and insecure practices. 

Regulatory steps for strong customer authentication

The EU has already taken steps towards enforcing minimum levels of security around certain functionalities – the Revised Directive on Payment Services (PSD2) contains a requirement for Strong Customer Authentication (SCA) for payment service providers within the EEA and as of 31^st December 2020 is in full effect. Steps such as this move the industry towards scenarios where the financial service providers should achieve a level of due diligence around protection of their customers from scams simply by complying with regulations. Achieving compliance should put financial institutions in a position where the onus is shifted onto the consumer. At the end of the day, there is very little a third party can do if an individual is going to be flippant about passing out their own confidential data, or access to their accounts – A comparison on the extreme end of the scale but which illustrates the issue nonetheless – Could you make a car theft claim if you left your car unlocked with the keys in the ignition?

A layered approach to SCA

The approach to SCA so far has been classified using the three independent factors – something you know (passwords etc), something you have (cards, specific devices, etc), and something you are (biometric), wherein a minimum of two factors, each from a different category, must be utilised to be considered SCA. With the constant developments in technology, biometric authentication methods have become much more accessible.  It is unlikely that a single specific method within one of those categories, such as voice authentication or facial recognition, will be made a mandatory feature for access, but a layered combination of methods that fall within the different categories are already part of the requirements and it is likely to continue in that vein. It’s possible that there could be a move towards favouring one category, such as biometric, over others.

Users’ email accounts throw more problems in the mix

User’s email accounts open another can of worms – Should MFA leveraging an email address be considered negligible if the user has failed to secure access to their email account properly? How would a financial institution establish if that was the case? Weak or easily guessable passwords, lack of MFA, leaving email accounts signed in on shared or public computers, are all common, easy pitfalls, and the importance of an email account to the security of accounts tied to it can often be overlooked by users. The responsibility of ensuring that a consumers’ email account is secured should not be related to the operations or responsibilities of a financial institution. It once again comes back to the issue of basic awareness and understanding. If consumers agree to notices, bypass warnings etc, regarding their own responsibility to abide by recommendations around MFA on related accounts, or mismatch warnings, then the onus should be on the user, as in that case there is little else the institution can or should have to do to prevent the user from falling victim to cyber-attacks. Measures such as the enforcement of biometrics as MFA could be one possible approach to circumvent these kind of issues, thus removing the reliance of the security on a potentially unsecured email account.

The way forward

Wider universal education and awareness around cyber security and more widespread, mandatory implementation of security measures such as MFA, both for financial institutions and in areas outside the financial industry, would be likely to yield results, although they are fairly big asks. Broad awareness or understanding of the matter is unlikely to precede the enforcement of minimum authentication levels. Mandatory enforcement of such measures and a shift in the responsibility in certain scenarios would make education on the matter more likely to be a necessity that consumers would seek out, rather than an often overlooked additional feature.