Money 20/20 all about authentication: Here’s how to focus
NEW YORK, N.Y. – When you attend a conference as large as Money20/20, it is easy to get overwhelmed by the number of companies offering a solution to the issue of the day.
In 2015 the popular topic was authentication. How do you make it safer? How do you make it more convenient?
Encap Security CEO Thomas Bostrøm Jorgensen advises companies to have knowledgeable people carefully look at the many different options, for some are most definitely better than others.
Mr. Jorgensen said it is important for a company to have a customized authentication method, because their customers, the purchase method, and even the device facilitating that transaction all have characteristics favoring one method over another.
Encap provides device-based strong authentication and e-signature solutions for financial services companies. The Smarter Authentication Platform integrates into a client’s infrastructure to provide security across different applications, channels and devices.
It is crucial to link the customer’s identity to their device, Mr. Jorgensen explained. Once that occurs one can capture different biometric components on the device, tokenize them and store them on a server.
“Conceptually, using two methods does not increase security.” – Thomas Bostrøm Jorgensen
Biometrics then becomes the authentication method whether the transaction is on-site, over the phone, online or at an ATM.
The optimal biometric depends on the application, Mr. Jorgensen said. Apple has properly employed fingerprint technology, for example.
“Lots of companies are betting on all kinds of other things,” Mr. Jorgensen said. “But from a security perspective you only need one to capture your biometrics.”
“Conceptually, using two methods does not increase security.”
Fingerprint technology is being adopted with little resistance because it adds little if any friction for the user, Mr. Jorgensen explained. The success Apple has enjoyed has trained the marketplace to accept that method from other technologies.
Those authentication techniques requiring the user to carry hardware such as a wristband, or those which only work in select environments face a much more challenging marketplace, Mr. Jorgensen said, citing one option he tried and failed to use in a dark taxicab at night.
Biometric safety is highly dependent on its implementation, Mr. Jorgensen explained. Apple hardware had good security and it succeeded. Early Samsung versions did not and suffered breaches.
“People have to realize biometrics are in their very early days, in their absolute infancy,” Mr. Jorgensen explained.
Behavioral biometrics can be more effective than physical, he added. Sensors can capture your unique walking style, or how you type – the travel time between keystrokes and how much force you press with are factors which in combination can contribute to a unique profile.
One solution was originally developed to coach skiers. A coach wanted to capture different skiing techniques and compare them with top performers as he sought to improve performance, Mr. Jorgensen said.
Cameras and recorders already present in phones can be employed to capture the owner’s face and voice, though Mr. Jorgensen acknowledged that raises profiling issues threatening widespread acceptance.
Encap works to enable the biometric solutions the market requests, Mr. Jorgensen explained, and those requests vary based on factors such as geography. Voice biometrics are favored in emerging markets because they are inexpensive and accommodate all literacy levels.
One challenge is to develop as detailed of a solution as possible at the beginning, because updates are prime opportunities for security breaches, Mr. Jorgensen said.
“From a security perspective you don’t want to do that too often.”
Mr. Jorgensen said there is a clear disconnect in how financial institutions in the United States employ mobile technology, and that is partially due to not understanding the limits of biometrics.
“People are fooled into thinking because it is biometrics that it is very secure, that because it is linked to them as a person but it is just one factor.”
“There needs to be multiple authentication processes,” Mr. Jorgensen said. “One piece linked to biometrics is theoretically no better than a password.”
Mr. Jorgensen explained the entire solution must be predicated on the device always being linked to your identity as the primary identification factor. Then you can layer in biometrics, contextual and behavioral information.
And while it is theoretically possible to hack into devices with strong security features, the harder you make it the more effective the solution is, Mr. Jorgensen said.
“Fraud is like any other line of business. Fraudsters will go where they get bang for their buck.”