Mobile Banking offers considerable promise for true interaction with customers as well as key differentiators to attract gen Y consumers. Simple and stronger authentication is key to manage risk and to ensure continued success in the mobile market.
The first generation of strong authentication for mobile typically utilized the same authentication factors as the online banking channel. This approach was mostly driven by the need to go to market quickly and also cost considerations. The most common method at that time was to use traditional static challenge questions.
Later, new regulations and an increase in Trojans (which effectively compromised PC end-points) prompted banks to ensure authentication using a second independent device. Mobile phones were the natural candidates especially for the consumer. Rather than focus on the growing smartphone market, many banks focused only on devices that could accept SMS messages. SMS one-time passcodes became the two-factor standard for consumer online banking.
But what about mobile banking today? In most cases, SMS one time passwords (OTP) were also deployed as second-factor in the same channel. Some decided that SMS was not truly Out-of-Band for mobile, so then decided to implement KBA (Knowledge-Based Authentication), also called dynamic challenge questions. Unfortunately, we all know that KBA is not effective anymore as most data aggregators that provide those questions have been compromised and the dynamic questions can easily be guessed thanks to social media, or are available for purchase. In addition to being unsecure and already compromised, SMS OTP and Knowledge Based don’t provide a native and intuitive user experience on mobile devices.
To implement true Mobile Authentication, businesses need to think outside the box. Don’t get stuck on the idea of “out-of-band” as out-of-band for mobile simply doesn’t exist. Unless you are willing to distribute hardware tokens to your gen Y customers to login to mobile banking! Out-of-channel is one effective way to deploy stronger authentication, where a second channel of communication is established between the user and their financial institution to validate the request performed on the first channel of communication. SMS and Knowledge-based are not valid out-of-channel authentication methodologies.
Financial institutions need to look at new and innovative technologies that are truly native to mobile smartphones such as push notifications or biometrics. Such technologies are far more secure and provide significantly better user experience—read less friction. How so? The core features of out-of-channel authentication enable the consumer to authorize login or transactions with single tap on the phone.
The truth is, new applications and unique capabilities for mobile devices, like Mobile Deposit Capture, are surfacing by the second and enabling consumers to do things once perceived impossible. As a result, mobile baking is presenting its own set of challenges to the table and urging businesses to eliminate authentication technologies that are no longer effective and replace them with what really does work.