Passwordless Authentication: The New Shift in Cybersecurity Bound to Revolutionize Fintech
Cyber security is a major concern for every organization that has even the smallest digital presence today. But even more so for the financial services sector, because of the sensitivity of the information processed by companies in the sector. Even more, 19% of cyber attacks target FinTech.
The new turn in cybersecurity will revolutionize fintech
As such, financial services companies need to take extra steps to protect their customers and their business. For years, extremely weak passwords like 123456 or easily guessed passwords have left accounts at high risk.
People have been bad password stewards.
People as a whole have been lax about their passwords, leaving organizations, including FinTechs and especially, to step up by ditching passwords for passwordless authentication solutions.
Scalability of cybersecurity
Scalability is a key factor in developing an effective cybersecurity strategy today.
Scalability because, as established by the WEF Fintech Cybersecurity Consortium, cybersecurity solutions should have cross-border applications “so that a FinTech can use recognized best cybersecurity practices to facilitate entry into new markets and grow in full security as it develops ”.
Authentication without password
Weak passwords caused 30% of ransomware attacks in 2019. For FinTechs, different modern options compete and offer better protection than passwords. In addition, they are scalable so that passwords are not, making them effective protection solutions.
Providing financial services is a risky business. Financial crime and fraud have a long history and have grown stronger since the digitalization of financial services.
According to Mckinsey, the lines between cyber breaches, fraud and financial crimes are becoming increasingly blurred. FinTechs must constantly assess their cybersecurity and authentication profiles for continued protection.
Image Credit: McKinsey
Passwordless authentication is a product of the FIDO2 project, an open authentication standard that builds on previous work on web authentication by the FIDO Alliance and is carried out in collaboration with the World Wide Web Consortium.
Therefore, the FIDO2 specifications are taken from the W3C Web Authentication (WebAuthn) and the corresponding Client-to-Authenticator (CTAP) protocol of the FIDO Alliance.
One of the main mandates of the European Banking Authority’s revised Payment Services Directive (PSD2), which entered into force in 2018, was to get fintechs and other payment processors to adopt financial requirements. tighter and more modern security authentication, including multi-factor authentication.
Fundamentals of Passwordless Authentication Systems
Many passwordless authentication systems use a two-factor (or multi-factor) model, in which a cryptographic key pair is created by combining a public key and a private key. The public key is stored at the service provider, but it is useless without the private key which only has user side access because it is a unique pair, and it is the private key that unlocks in makes the public half of the pair.
Alternatives without password
Even on the user side, people are now more inclined to password-less alternatives to security authentication. In a Visa survey released in January 2020, 53% of participants (credit card holders) are willing to switch financial service providers if their bank does not offer biometric authentication based on fingerprints and facial features. The main reasons given for this choice are:
- No need to remember passwords anymore (42%)
- Improved password security (34%)
- Don’t forget or lose an authentication method (33%)
Note that the main reason given is for convenience. Many people have to memorize dozens of passwords at once, which does not provide the best user experience.
The future of digital security authentication is fintech
The future of digital security authentication in fintech offers high level security and fraud prevention without sacrificing convenience. Indeed, user experience is listed as one of the building blocks of a future-proof authentication framework, according to a report by the World Economic Forum. Others include:
- Safety – of course, the logical first choice. Authentication in the financial services industry should primarily focus on preventing fraud in website hovering, etc.
- Confidentiality – Inheritance and possession based authentication elements transfer the storage of authentication information to the user side, releasing the service provider to some extent from any liability in the event of a breach. Scalability – a passwordless authentication solution should be able to handle high growth rates.
Huge Benefits of Passwordless Authentication
Whichever perspective you view it from, user side or server side, passwordless authentication has immense benefits for both users and service providers. Passwords are being phased out. Fintechs need to audit their cybersecurity strategy and implement more secure solutions designed to mitigate modern cybersecurity risks and reduce digital fraud in the financial services industry.
Note that passwordless authentication does not make a system resistant to any form of attack. As has always been the case, with the introduction of new technologies, cyber attackers are also refining their tactics and spotting new vulnerabilities to exploit. Either way, passwordless authentication remains more secure than password-based systems.
However, there are alternative entry points for attackers beyond authentication; Insider threats and backend breaches remain huge risks, and fintechs need to fill all these holes to achieve 360 ° security.
Image credits: included by the author; Thank you!