The TruU Hub

Implications of Passwordless Authentication on Financial Institutions

Written by The TruU Team | September 15 2021

Passwordless authentication has been employed for customer identity for many years and is now seeing growing interest from financial institutions for their employees and partners. Anti-money laundering (AML) laws and KYC (Know Your Customer) compliance drove interest in anti-fraud/money laundering customer identity first, but the adoption of newer authentication methods such as biometrics and behavioral biometrics, and more recently the use of identity proofing technology is just as applicable for the workforce.

When we think of massive bank data breaches, insider abuse or misuse, or phishing, these are cybersecurity threats that focus on a financial institution’s workforce. Enterprise passwordless MFA solutions will have a massive impact on risk for financial institutions as one of the most effective prevention technologies since next generation endpoint security.

Reducing the Risk of Cybercrime for Financial Institutions

Along with healthcare, financial institutions are perennially one of the most targeted industry verticals by hackers. Several password-related tactics top the list of security attacks perpetrated, such as phishing, drive-by downloads of trojans and keystroke loggers, attacks of undisclosed zero-day vulnerabilities and web application attacks that lead to continued lateral movement beyond segmented DMZ network areas. These tactics ultimately target employee passwords or make use of compromised passwords. In fact, Verizon’s Data Breach Report estimates that up to 80% of data breaches make use of compromised credentials.

TruU has an enormous potential to lower financial institution risk in this area because it is full passwordless MFA down to the workstation. You see much of the market considers enabling Windows Hello for Business or a more recently purchased Mac’s TouchID as achieving passwordless. But nothing could be further from the truth. These solutions only begin to get at the surface of what an enterprise passwordless solution needs to be, largely because those solutions still depend on the password, and most importantly, the end user needing to remember and recall the password when the hardware is cold booted.

Or take the instance when that same employee uses that company issued laptop or a personal laptop to access their corporate resources over a VPN client from home. The corporate end user or partner will need to type the network domain password in these instances, opening themselves up to hackers and not achieving the true goals of passwordless authentication. Extrapolate this problem to every use case a workforce participant finds themselves throughout the workday –a VDI session or a remote login to a server for admins. TruU’s scope of coverage from workstation to server logins to VDI to VPN and more achieves the true goals of passwordless authentication, to remove the risk from passwords entirely.

The cost figures of data breaches suggest what we think is a very compelling return on investment consideration. Recently, Equifax said that its 150 million record breach has cost the company over $1.4 billion in lawsuits and other direct costs. IBM’s annual data breach report states that in 2020 financial services exhibit the most expensive data breaches over any vertical globally, with each individual breach averaging over $8 million in the US.

Reducing Downstream Reputational Risk

Cybercrime not only enacts risk of direct financial liability, but also intangible damage to the brand as well. Some of the sagest advice we know of in life is that recovering from a negative perception is many times harder than consistently maintaining a good image. This is especially important in an industry built on trust like financial services. The damage to brand and reputation from a breach or compromise in trust takes years to recover from. Imagine the marginal buyer of a bank’s services who must decide between two institutions with whom to bank with just after hearing about a massive data breach exposed at one of them. It is virtually impossible to fully account for the impact of a data breach in the form of lost revenues or business.

The reputational damage may be even bigger when a breach is due to intentional insider misuse or abuse. Because people know humans are fallible, it may be excusable in many people’s minds that a breach occurred due to lax or mistaken security controls, but a premeditated cybercrime by an employee could extend to an indictment on the institution’s culture which causes more damage. TruU counteracts the threat of insider misuse via an enterprise view of who accessed what and when, and with its ability to ascertain identity with high assurance. TruU is introducing the first AI-based identity risk engine that combines physical, environmental, proximity and behavioral biometric signals to determine identity. Most MFA solutions, if they are advanced, seek to be adaptive with a step-up authentication using biometrics when risk seems elevated. TruU utilizes a continual risk score of an individual throughout the workday and biometrics is typically the default form of authentication in its MFA equation.

Reducing Risk from PII Regulation and Legislation

Collectively, financial institutions spend hundreds of billions of dollars to meet regulatory mandates such as MiFID II and Sarbanes-Oxley. More recently, European General Data Protection Regulation (GDPR) and similar consumer protection laws threaten to make the burden even larger. This risk amplifies the risk from a data breaches given the huge penalties from non-compliance with timely reporting statutes. In this way, TruU indirectly lowers the risk of financial liability due to consumer protection act non-compliance.

Going further, while these statutes are designed for consumers, we believe there is spill over to employee attitudes in certain parts of the world. Given that we have co-innovated our solution with large, multi-national organizations, we have and are designing our solution to meet the needs of these disparate workforce populations. For example, our support for the FIDO standard enables our solution to work seamlessly with any FIDO-certified hardware key, presenting an authentication option for employees that object to downloading a corporate mandated mobile application to their personal smartphone. Our decentralized public key-based architecture prioritizes privacy to ensure our use of biometrics and AI behavioral models cannot compromise any specific individual using our system. And lastly, we have operationally made it possible for former employees to request a right to be forgotten in our global identity platform through our own adherence to standards such as GDPR.

Additional Risks We Partially Help With

TruU can partially help financial institutions with a couple of other additional risks pointed out in this excellent framework spelled out at Resolver’s listing of the Top 12 Risks for Financial Institutions.

Resolver points out the risk of failure to attract or retain talent. We believe TruU modernizes organization to the workplace of tomorrow. Organizations have been using passwords since the 1960s and we believe it’s time to do better. The newer, younger generations of employees have grown up with advanced technology, recognize the convenience-based experience of the Internet and software, and seeks to work for organizations that prioritize their workforce. TruU dramatically alters and improves the access user experience for end users, while improving security for the organization, a value proposition difficult to achieve.

Lastly, Resolver points out the risk of failing to innovate. Innovation breeds loyalty with consumers as it increases convenience over time. This is no less true for internal processes and operations. Innovation in the form of internal digital transformation for improved employee engagement will spur employee loyalty. Many of TruU’s customers and deals are led by CIO’s leading transformative projects for the workplace for increased productivity and end user satisfaction.

Summary

In conclusion, we feel that enterprise passwordless MFA is a net reducer of risk for financial institutions. But more importantly, enterprise passwordless MFA has a very high bar of requirements to meet to be acceptable and complete enough for demanding enterprise organizations like financial institutions. This is where we believe TruU shines and has differentiated itself in the market. We invite you to learn more about our TruU Identity Platform or directly Request a Demo from us today.