How to Protect User Data with Two-Factor & Multi-Factor Authentication
Passwords just don’t cut it these days if you’re a financial institution.
As more transactions take place online, more bad actors move into, and level up in, the digital space. And though the consumer will suffer losses at the end, the one who will have to refund the customer, handle fraud investigations, and suffer through potential losses in reputation, is the bank.
If users have to use two-factor authentication APIs to log into their social media, they need something even more advanced for their bank–especially if they’re one of the many who uses the same password across multiple sites, which makes it easier for a data breach.
So, how do you prevent bad actors from stealing your customer’s money?
First, make sure they’re required to use a strong and unique username and password. Strong passwords are the first line of defense for your users, so even if they’re not the best line of defense, it’s important users do the following:
- Have them vary usernames and passwords from other sites
- If possible, don’t let them use the same username as their email
- Longer passwords are always better because it’s more for a hacking programme to guess
- Including “0” instead of “o” or “!” instead of “i” are common substitutions that bad actors can guess quickly. Try incorporating special characters in less common locations.
Second, enable two-factor authentication. As a financial institution, you should offer two-factor authentication or multi-factor authentication as a necessary second line of defense for your cybersecurity program.
What exactly is two-factor authentication?
Two-factor authentication (2FA) is a way to verify someone’s identity through two different metrics. Typically, the first factor is the user’s login info, and the second factor is verification code sent to the customer’s phone via a text message or an app, or even through email. Sometimes the site they’re logging into may review their location data or the device they’re using to log in, and if either are recognized, other authentication steps are waived.
Most banks require this level of security for logging in, and for completing online transactions or changes.
Have users avoid email authentication when possible. If bad actors can access banking login info, they can likely access email login info, which renders email 2FA near useless.
What is multi-factor authentication?
Multi-factor authentication (MFA) is when multiple verification steps are required in order to make a transaction or access account information.
It’s another version of two factor authentication.
Ultimately, you can break both 2FA and MFA down into three pillars:
Something you know
This is also called the “knowledge factor,” and could be the customer’s username, password, or even the answer to their security question. Personal identification numbers (PINs) and one-time passwords (OTPs) also fall into this category.
Something you are
This is also known as the “inherence factor.” It’s the user’s biometric data, and is most commonly used for mobile authentication.
This looks like the user’s thumbprint, FaceID, or even a retinal scan.
Something you have
This is also known as the “possession factor.” Users must physically possess this to access information.
This could be a physical keyword or a software key. For mobile logins, this could also be a code generated through a one-time password app.
Why are 2FA and MFA so important for banks and financial institutions?
The rise of the internet means the rise of online hacking. In 20221, 30,000 websites were hacked daily. 64% of worldwide companies experienced at least one form of cyber attacks. In 2021, ransomware cases increased by a whopping 97%.
At the start of the 2010s2 when cybercrime first started to peak, trillions of dollars were lost. Since then, the amount of money large corporations spend on cybersecurity has only continued to grow.
Bad actors are always improving their methods to access online banking accounts, so financial institutions have to match them stride for stride to keep users safe.
By requiring customers to use multiple forms of authentication, sensitive data and assets are kept much better protected.
However, this technology can only keep users safe if they opt-in. Make sure users are aware of the different services available, and update your security to keep track of new trends.
One of the best ways to defend users from bad actors, besides beefing up your digital security, is raising end-user awareness.
A common scam users might be faced with is the following:
- First, bad actors acquire a customer’s username and password and manipulate them into providing their access code.
- They do this by impersonating the bank to tell users suspicious activity has been flagged on their account and that they need to provide their access code to prove their identity.
- The scammer will then attempt to access their account, and users will unknowingly provide them with the access code.
- Doing this almost always results in stolen money and turns the user into a victim of identity theft.
Email phishing scams are also common. Hackers will pretend to be relatives or even a government body, and they will typically request money in the form of gift cards. Bad actors can also make a fake version of the bank site and send users a slight variation of the bank URL to prompt them to login.
How should you avoid this? Tell your users that your bank or official financial institution will never attempt to ask customers for their access code. Codes should only be sent when the user is being prompted with 2FA or MFA.
The future of 2FA and MFA for financial institutions and more
SecureAuth3 found in a 2017 survey that 74% of users found 2FA annoying. 10% admitted that they “hate it”.
For better or for worse, two-factor authentication and multi-factor authentication are both here to stay.
With that said, security professionals are still working to improve authentication to make it so seamless, it seems invisible. Companies like Pindrop, a Bandwidth partner have started using biometric authentication, so if a customer were to call their contact center, listening to their voice, recording their location and the device they’re using, and capturing other background information is enough to passively authenticate the caller.
Always consider who your high-value targets are, like attorneys or even HR staff that have access to personnel records, and make sure that data is well protected. More and more organizations will start using phishing-resistant MFA4 like FIDO or WebAuthn authentication. Increasing security and communications with users can only help you.
These new forms of authentication add another layer of “something that you have” protection in the form of biometrics, PIN codes, or tokens. Migrating users into a phishing-resistant MFA system will be difficult because of the training and support required, so expect for this transition to be slow.