Free trial

Passwordless authentication: How financial institutions can solve the password problem

Authentication - Market insights
OneSpan Team,
Passwordless authentication

Passwords are still a major problem for the financial services industry. Because passwords are so easy to use, many institutions are reluctant to stop using them. The good news is, there is a better way. Modernizing your authentication stack with passwordless authentication provides an easier and more secure digital banking experience.

There is a lot at stake for institutions that don’t upgrade to passwordless authentication. For starters, it’s easy for criminals, hackers, or other bad actors to compromise passwords through brute force, credential stuffing, dictionary attacks, and phishing or social engineering. 

Worse, managing passwords as an authentication factor has become a universally frustrating experience for customers. Between password resets and password reuse, people are looking for a better user experience. Research shows that the majority of consumers think a smooth, easy experience is important when choosing a financial service provider. Despite this, many banks still rely on the username/password combination to secure access to their products and services.

What’s notable is tech firms have been leading the charge by modernizing with passwordless authentication methods such as facial recognition and other biometrics that strengthen security and deliver an easier customer experience. Firms like Microsoft, Google, and Apple are ahead of financial institutions when it comes to security standards. These corporations are dedicated to providing a superior customer experience by going passwordless.

The problem with passwords and password management

It is no secret that passwords are no longer a valid security mechanism for banks. The challenge is that regardless of demographics, consumers worldwide tend to use the same username and password combination across websites, even as account takeover attacks become more prevalent. 

While there are many tactics criminals use to take over an account, using passwords puts banking customers at a much higher risk of social engineering attacks, like phishing, that lead to account takeover. The data is clear: According to Statistica, banks are among the top three most targeted organizations for phishing attacks. Another report showed a 300% increase in phishing attacks targeting bank customers.

In the US, news columnist and professional organizer, Marla Ottenstein, shared her firsthand experience with account takeover. As she explains, it is a devastating experience:

“It’s called ‘account takeover,’ and TAKE OVER is exactly what they did. By hijacking my mobile phone and email accounts, the crooks were able to circumvent numerous email and text alerts, which were being sent to me by my bank and credit-card company, as well as by the mobile and cable companies, as the criminals systematically drained my checking account and ran up thousands of dollars worth of fraudulent charges on my credit card.”

The threat is real. Widely available phishing kits for sale on the dark web make it quick, easy, and cheap to host phishing sites to launch attacks. In fact, the dark web economy is growing with places like the Genesis Marketplace that not only sell usernames and passwords, but also the fingerprints that go along with the device. Having this type of information makes it possible for a bot to bypass most online access management security measures and successfully access and drain a victim’s bank account.

Mobile banking: The entry point for passwordless authentication 

In 2024, 78% of US consumers prefer to use mobile or online banking. Similarly, Forrester Research’s Oliwia Berdak confirmed, “Forrester data shows that some 40% of French, 54% of Italian, and 54% of UK online adults have done their banking on a smartphone — via either the bank’s mobile website or app — in the past month.”

Yet, usernames and passwords tend to be too clunky for use on smaller devices like smartphones. Better alternatives pair multi-factor authentication (MFA) with a user-friendly experience and are more resistant to fraud attacks.

Here are a few of the most popular methods:

  • Push notifications: This method provides an authentication code through a notification that pops up on the lock screen of a customer’s mobile device. Push notifications have proven to be much more secure than sending an OTP through SMS. Another option is to use a QR code that is sent via push then scanned by a trusted mobile device and used to authenticate.
  • Biometrics: Face and fingerprint scans are popular among consumers. Many are already using their device’s biometric authentication, via TouchID and FaceID, for example.
  • FIDO: FIDO is an organization with the clear-cut mission of eliminating passwords. Its device-resident authenticators eliminate the need for passwords and serve as the underpinning for many passwordless authentication solutions.

With better user experience and security in mind, it’s clear why a growing number of banks are considering passwordless authentication solutions for their mobile users.  

Use case #1: Passwordless login to online or mobile banking

Mobile has been the predominant way for consumers to bank for some years, especially since the beginning of the pandemic. At the same time, fraudsters are following suit and moving their criminal activity to the mobile channel. This made it more important for banks to analyze the health and integrity of each consumer’s mobile device during the mobile banking login process and during transactions. Doing so can decrease the success rate of fraud attacks and consequently, the risk of theft of customers’ money.

It’s imperative to put together a fraud prevention strategy that includes determining the health of the customer’s mobile device. To do this properly, financial institutions need to gather information such as the device ID, geolocation, operating system, and other data points. A fraud prevention system built on risk-based authentication can then take these data points and make instantaneous decisions that protect the consumer’s financial transactions.

What would a red flag in this kind of system look like? It can be something as simple as checking to see if the customer’s phone has been compromised by malware. A risk-based authentication system can then simplify the user experience because if there is no malware on the device, or if the client is doing a low-risk transaction, there won’t be a need to pass an authentication challenge.

As the banking industry moves into passwordless authentication, there are opportunities to educate customers to avoid misconceptions. One common misconception is that if username and password fields are not visible, then something must be wrong. Increasingly, security has become invisible to the customer as is the case with risk-based authentication.

For example, in the case of an existing customer, a relationship of trust has already been established. The bank knows the customer’s trusted device and has a history of the customer’s typical activity and behavior. Each time that a customer interacts with the bank, the bank can use technology such as fraud prevention rules and machine learning to assign a risk score to each action the customer takes during their online banking session. This score is used to determine whether to challenge the customer with a new authentication request, or not. 

For a high-value or higher-risk transaction, the customer might be asked to confirm their identity or authorize a transaction by authenticating with a fingerprint scan. However, if the customer logs in at the usual time, from the usual geolocation, using the same authentication method, and does so on their trusted device, this together provides a high degree of assurance that it is, in fact, the legitimate customer. A risk-based authentication system would create a risk score based on parameters such as these and allow the customer to authenticate without a password.

Use case #2: Authorizing financial transactions using FIDO

Consider a customer paying a bill on their phone through their mobile banking app. Before processing the transaction, the bank asks the customer to confirm that the amount and the payee are accurate. In this instance, the bank uses biometrics to confirm the customer’s identity.

Banks should look for FIDO capabilities from their authentication provider. This allows you to leverage open standards and implement passwordless authentication to enhance the customer experience with modern biometric technologies.

An additional layer of security on top of this is called secure channel. A secure channel can be paired with FIDO to provide end-to-end encryption for the entire financial transaction. FIDO has been proven to be a quick and easy tool that allows the customer to own the authentication themselves. So when they’re authenticating to any number of different applications, they’re using their own authenticator app to do that.

FIDO-certified authentication methods are supported out-of-the box as they come to market. Because of the open standard, any application can work with any device and any authenticator. This gives organizations lots of options on how they want to approach customer authentication.

It’s worth noting that FIDO is not typically issued by a bank. Banks don't need to mail authenticator hardware tokens to their customers or ask them to download a FIDO application. FIDO is already part of an Android or iOS operating system or a Microsoft environment. The FIDO communication interacts with a number of components already there, most notably the biometric components.

When we do FIDO demo presentations, we typically show a user creating a transaction. They're asked to authenticate the transaction and they're shown the transaction data. The customer verifies and confirms that all the data is accurate. Next, the customer is prompted to use their biometrics to confirm and encrypt the transaction and send it back to the bank. This way the bank knows that no fraudster has intercepted and changed the transaction en route. Everything is legitimate and the bank can proceed.

FIDO has proven to be a great passwordless authentication tool in this case, because all the customer needs to do is a simple face scan. 

Use case #3: Bank wire transfer with QR or push notification

The benefits in terms of ease of use become quite clear when using a QR-like code for this use case. 

The transaction is initiated by the bank and can’t be initiated or intercepted by a fraudster – especially one trying to infiltrate a bank account through phishing and social engineering.

Receiving a push notification is quite easy for the customer because they are used to opening push notifications from other apps. And because it’s coming through a secure channel, it’s much safer than SMS. The other important thing to point out here is that push notifications are encrypted, unlike SMS.  For an attacker, push notifications are much harder to crack than SMS-OTP.

Closing thoughts

It's clear to see that the password has long since outlived its ability to provide any form of digital channel security and presents security vulnerabilities. 

The future belongs to passwordless authentication solutions. Look for a passwordless authentication solution that supports a broad range of hardware and software technologies (i.e., biometric authentication, push notifications, Cronto, and FIDO). This gives you flexibility in meeting customers’ needs and preferences, across use cases. 

Migrate to Passwordless Authentication to Enhance Security and Optimize UX
Analyst report

Migrate to Passwordless Authentication to Enhance Security and Optimize UX

According to Gartner, “IAM leaders should migrate to passwordless methods wherever they can, and as soon as they can, to enhance security and optimize UX.” 

Learn more
OneSpan Team
OneSpan Team

The OneSpan Team is dedicated to delivering the best content to help you secure tomorrow's potential. From blogs to white papers, ebooks, webinars, and more, our content will help you make informed decisions related to cybersecurity and digital agreements.

Contents
Share