The objective of passwords is to keep accounts protected and safe. The problem: they aren’t doing the job. According to Deloitte, 90% of user-generated passwords, even those considered strong by IT departments, are vulnerable to hackers.1 Duncan Stewart, Director of Research, Deloitte Canada said: “Passwords containing at least eight characters, one number, mixed-case letters and non-alphanumeric symbols were once believed to be robust. But these can be easily cracked with the emergence of advance hardware and software."1 The fact that many consumers utilize popular passwords (in a survey of 10 million passwords that were hacked in 2016 the most popular was 1234562), further compounds the issue.
Core banking systems, internal support applications, email, computers - all use passwords. These pieces of technology contain sensitive information for thousands, if not millions, of accounts. Additionally, most pieces of technology at financial institutions communicate with each other, meaning a breach in one system, could potentially be a breach in all systems. For this reason, if an employee uses an unsafe or repeated password, the entire system could be in jeopardy. However, these risks are drastically reduced with two-factor authentication.
Two-factor authentication is a security measure to double check the identity of a user attempting to access a system. Many common systems have already adopted two-factor authentication protocols. For example, many large companies, such as Google, Facebook and Amazon allow users to turn on two-factor authentication.
Overall, there are three possible authentication factors: information that the user knows, such as a password, an item or device that the user has, like a mobile phone or ID card, and a unique identifier that is inherently part of the user, such as a fingerprint or retina scan. The most common type of two-factor authentication is a password and a code that is sent to a mobile phone. In order to log into an account, the user must have the correct password, as well as their mobile phone available to receive an authentication code.
Security is mission-critical at any financial institution, but there always exists a balance between security and user-experience. A financial institution could potentially require ten steps for a user to log into their online banking, decreasing the probability of a breach significantly, but this would anger users. In order to ensure that two-factor authentication does not become a burden for users, engineers have developed alternative methods for two-factor authentication that are equally as secure, but can be more convenient. Here are some of examples that could apply to financial institutions:
Recently, two-factor authentication using SMS has come under scrutiny because SMS protocol is not encrypted. For this reason, implementations with authenticator apps, security keys, or one-tap verification are preferred. Overall, evidence exists that two-factor authentication creates a more secure system leading to less fraud and breach. This method of authentication should be a normal feature at any financial institution.