Authentication is critical to business operations in the financial services insurance (FSI) industry, which has access to highly-sensitive information. Organizations must verify the identity of clients and broker-dealers before granting access to personal or financial data.
However, the need for secure authentication doesn’t mean the authentication process should be inconvenient. A well-designed authentication system ensures security and regulatory compliance while minimizing friction in the user experience.
Current problems with broker-dealer and client authentication
Authentication systems for broker-dealers and clients face numerous challenges. Some of the common problems in current authentication systems include the following.
Multi-factor authentication (MFA) was initially designed to bolster the security of passwords. By combining a password with another authentication factor, such as a one-time password (OTP) sent to or generated on a device, the goal was to make account takeover attacks more difficult. However, combining two insecure authentication factors does little to enhance security. Many customers will rely on weak or reused passwords, and common MFA options such as SMS-based OTPs are vulnerable to phishing and other attacks.
As a result of this vulnerability, cybercriminals are able to hack first-generation MFA and gain access to user accounts. With the high stakes of compromised accounts in the financial services insurance industry, stronger account security is vital.
In addition to security issues, legacy MFA also creates a high-friction authentication experience for broker-dealers and clients. Not only are they required to know and input a long, random password, users also need to enter a code from another device. If this device is not convenient or the code is delayed, this creates significant friction and dissatisfaction in the user experience.
Broker-dealers are especially impacted by friction in the authentication process because they often need to perform authentication multiple times each day. Like clients, broker-dealers may choose to work with competitors in response to a poor user experience.
The financial services sector is one of the most highly-regulated industries. Because financial services firms have access to sensitive data and users’ funds, financial regulations require organizations to properly control and secure access to their data and user accounts.
If a financial services firm lacks strong authentication mechanisms for clients and broker-dealers, it could be vulnerable to account takeover attacks and subject to regulatory penalties. For example, poor MFA implementation and security practices may result in penalties from the New York Department of Financial Services (NYDFS) or under the Strong Customer Authentication (SCA) requirement of the EU Revised Directive on Payment Services (PSD2).
Costs of password resets
Password resets are a sign that an authentication system has failed and can incur significant costs to an organization. The password reset process is designed to bypass the typical authentication process and forces the user to undergo a time-consuming and high-friction process to regain access to their account. Often, this process involves contacting the customer support team to resolve issues and restore access.
Password resets are a common occurrence because users sign in frequently and unique passwords are difficult to remember. Password resets incur significant costs to the organization in the form of service requests and may cause churn if a poor user experience causes broker-dealers or clients to move to a competitor.
Designing the Ideal Authentication Solution
Your authentication solution should prevent unauthorized parties from accessing user accounts while minimizing friction for legitimate users.
Secure, compliant authentication
The primary goal of MFA is to protect users from account takeover attacks while maintaining regulatory compliance. To accomplish this, your authentication system should have these capabilities:
- Phishing resistance: Phishing attacks are the most common way attackers steal passwords and MFA codes. MFA systems should be phishing resistant, which means they can’t rely on the user to provide input such as a password or OTP.
- Risk-based step-up authentication: Broker-dealers and clients may perform actions that pose varying levels of risk to their accounts and the business. Authentication systems should offer risk-based step-up authentication. This results in stronger authentication for high-risk operations without unnecessarily burdening a user performing lower-risk activities.
- Identity and device binding: Account takeover attacks typically take place on an attacker-controlled device. Your regulatory compliance strategy should limit the devices a broker-dealer is able to use to perform certain actions. You can cryptographically bind identity to devices and authenticate both the user and device before granting access to the user’s account.
Many traditional MFA systems are high-friction. Maintaining, recalling, and inputting a unique password is difficult for users. MFA that relies on OTPs, magic links, or text messages forces the organization to depend on services and infrastructure outside of its control that can be easily hacked.
Minimizing the friction in the user authentication experience can:
- Create greater customer satisfaction: Password-based authentication can be a painful and time-consuming process for users, especially if they need to go through a password reset process. Eliminating that friction creates a better overall user experience and improves customer satisfaction.
- Decrease drop-off: A high-friction authentication process is a common cause of drop-off as customers decide that creating an account, logging in, or resetting their password is more trouble than it is worth. Zero-friction authentication eliminates this risk and can increase customer retention.
- Reduce support costs: Password resets are a high-friction interaction that generates significant customer support costs. Eliminating the friction of passwords and password resets decreases the costs of authentication.
Passwordless MFA offers ideal authentication
Passwordless MFA eliminates passwords and other authentication mechanisms that require user input. Instead, the authentication process relies on a combination of biometrics and asymmetric key pairs stored on a trusted device to authenticate both the user and their device.
By switching to passwordless authentication, an organization achieves all of the benefits of an ideal authentication solution. Passwordless MFA offers strong, compliant authentication with zero friction and eliminates costly and painful password reset processes.
Beyond Identity’s passwordless authentication system makes it easy to implement strong authentication with support for risk-based, step-up, and continuous authentication. Learn more about how you can improve the security and satisfaction of your clients and broker-dealers by signing up for a free demo today.