In the financial industry, fraud is a natural and ever-present challenge. Digital banking and international finance have only compounded this problem, and anti-money laundering and fraud laws in the U.S. have evolved to address these issues.
In modern times, the overlap of identity management, authentication, and identity assurance has led to more comprehensive forms of authentication. These verification forms can differ based on the customers, the jurisdiction or industry, or even the technology used to make a payment or secure funds. But, all forms of authentication are purpose-built to ensure that technological systems can resist unauthorized access to financial information.
What Is Authentication?
Authentication is comparing user-provided credentials against those connected to a unique system ID to provide access to the system. Since the advent of multi-user systems and networked environments, authentication has been the cornerstone of adequate security.
As new threats and vulnerabilities have emerged, so have forms of authentication evolved. Some common forms of authentication include:
- Password Authentication: The meat and potatoes of authentication, username/password combinations are the most common identity verification approach. It’s an easy-to-implement solution that can resist basic attacks with the right level of complexity. However, standalone password protection is susceptible to brute force and social engineering attacks.
- Biometric Authentication: The use of biometrics (fingerprints, facial scans, etc.) has rapidly increased with the implementation of inexpensive and accurate biometric scanners. Biometrics are much stronger than password systems and provide the added advantage of resisting identity spoofing.
- Token Authentication: Tokens are generated digital tokens most often used in multifactor authentication setups. Tokens can come in the form of code embedded in a user’s browser, a value generated by a piece of hardware held by the user, or a one-time password transmitted to an authentication app or over SMS.
- Multi-Factor Authentication (MFA): Multi-factor authentication requires using two or more verification forms across multiple categories. For example, the most common forms of MFA in the consumer space (and in many enterprise applications) require an initial username/password login followed by either biometric verification or a mobile phone verification app.
- Sing Sign-On (SSO): Also known as a form of federated identity management, SSO uses an identity manager (often a third-party provider) to authenticate a user across multiple platforms or accounts. The work of authentication is outsourced without sacrificing accuracy and allows secure communication of that authentication to unrelated systems.
What Are Methods of Identity Verification in Finance and Government?
The requirements for authentication in government and finance have radically changed over the decades. Perhaps the most drastic changes have come in response to increased demand for AML capabilities.
To address challenges, banks and other organizations implemented essential Know Your Customer (KYC) capabilities to verify a customer during an onboarding process. After 9/11, Congress passed the Patriot Act, which included language to strengthen and formalize KYC actions.
At the heart of KYC and AML are different forms of assurance, defined in the National Institute for Standards and Technology (NIST) Special Publication 800-63-3, “Digital Identity Guidelines”:
- Authentication Assurance: This assurance metric represents the strength of the authentication methods used to protect a system. The lowest Authenticator Assurance Level (AAL) allows single-factor authentication, including a password, secret, or physical authenticators using tokens. A system must use MFA at the highest levels, including a required hardware-based authenticator.
- Identity Assurance: This assurance metric refers to the steps an organization takes to prove that the user is who they claim to be outside the act of authentication. Identity Assurance Levels (IAL) will require basic self-assertion of identity at the lower end, and at the higher end, require in-person identity proofing and the production of certified documents for identity verification.
These factors rarely impact consumers but feature heavily in business-to-business banking, institutional investment, and partnership between banks and government agencies.
What Are Methods of Authentication for Cardholder Data?
For retailer, merchant, and payment processing systems that contain financial information, the Payment Card Industry Data Security Standard (PCI DSS) defines authentication requirements for employees and vendors accessing any system that holds cardholder data.
The essentials of such requirements are:
- At a minimum, all user access must be authenticated by Two-Factor Authentication (2FA). This requirement includes remote network access or local access to covered resources.
- Password-based authentication must include mechanisms to force users to create complex passwords and to reset those passwords regularly. Furthermore, users aren’t allowed to reuse passwords except over more extended periods.
- Authentication methods must be encrypted to prevent theft.
What Are Authentication Methods Used to Process Payments?
Authenticating users at the point of sale presents some challenges, namely that, in most cases, the customer may not be present with their card. The rise of eCommerce and mobile purchasing has driven the necessity of more advanced authentication that can use customer data to verify the user and prevent fraudulent behavior based on otherwise legitimate credentials.
To combat the challenges of fraud, the credit card and payment processing industry (as well as government agencies) have introduced several different approaches to customer authentication at the point of sale:
- 3D Secure 2: Created by Visa, 3D Secure 2 uses different algorithms to determine the risk of a particular transaction. If risk dictates, additional information can be requested from the user, including information stored by the card issuer or data collected from the user’s device–for example, asking for biometric verification for an in-app purchase.
- Europay, Mastercard, Visa (EMV): Best known as the “smart chip,” EMV is the literal chip that almost every new credit card has. It serves much of the same function as the older magnetic strips, with much more robust security and authentication controls.
- Strong Customer Authentication: While the term “strong authentication” seems generic, in the EU, it refers to the regulation of “Strong Customer Authentication,” or SCA. SCA defines basic requirements for authentication at the point of sale, including MFA and additional measures to verify identity. Different technologies can meet the SCA requirements, including 3D Secure 2.
Ensure Compliant and Secure Authentication with Continuum GRC
The front line of cybersecurity is authentication, and your organization cannot count on any other security measure if identity verification isn’t working to keep unauthorized users out of the system. Fortunately, automated cloud compliance platforms like Continuum GRC can support your ability to implement and track proper authentication controls for all relevant systems.
Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- DFARS NIST 800-171
- SOC 1, SOC 2, SOC 3
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.