This Forbes article starts by discussing how customers may need to be educated about the increased usage of two factor authentication, especially if that authentication is implemented at every touch point regardless of risk – which shouldn’t be the case. It then makes a recommendation that I disagree with:
“Having every part of the authentication process happen within one app is key to delivering a quick and simple experience. Rather than being limited to fingerprints and facial recognition – or sci-fi style retina scans – authenticating what someone “is” can be as simple as a photo or video taken on your phone’s camera.
There are two ways this may take shape. The first starts long before a specific transaction is attempted, at the point when a customer is first being onboarded. Banks already use identity verification technology to verify a photo of a new customer against their ID document – to ensure compliance with Know Your Customer regulations. Thanks to this, they can keep the ID document on file, and ask for a new photo to verify against it whenever a transaction prompts SCA authentication. This covers off the ‘what you are’ and ‘what you have’ within one app, and within a short space of time.
The second could be used for larger, more high-risk transactions, where the whole identity verification process happens at the time of the transaction. For customers transferring large amounts of money to a new payee, the process of taking a selfie and a picture of your drivers’ licence is an extra step worth taking – after all, two-thirds (66%) of consumers say that they appreciate security “hurdles” because it makes them feel better-protected.”
I would urge the use of FIDO to leverage the native biometric already on the smartphone. Implemented in the secured banking app, this should be strong enough to protect the vast majority of user accounts. Banks should also be moving to a risk-based approach to challenges.
Challenging the addition of a huge cable company being added to the bill pay probably doesn’t make sense. That said, if the challenge is implemented such that it is identical to the natural use of the phone, it will be less friction than suddenly asking for a new form of authentication such as a selfie.
Now is the time to start your transition to the security inherent in a properly secured smartphone because that’s the way the world is going!
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group