Countdown to PSD2: Kill passwords to stay alive
Countdown to PSD2: Kill passwords to stay alive

Financial institutions constantly make trade-offs between simplifying their customers' experience, improving cyber-security and complying with ever-changing regulations. Letting any one of the above slip could accelerate an organisation's' extinction. Today organisations no longer have to choose between customer experience, cyber-security or regulatory compliance.

As the clock ticks towards the start of a regulatory shakeup for the EU financial services industry, these institutions have a chance to put this right and get their customers back. Customers that have been driven away in droves by a barrage of bulky security guard technologies foisted at long-time customers in the name of improving security and fighting cyber-crime. They never stood a chance when it came to getting the attention of millennials.

The old guards' fight against the flashy fintech, which millennials are drawn to, has done little to stem the loss of customers, revenues, margins and market share. The revised Payment Service Directive II (PSD2) becoming law January 2018 offers one last chance for institutions. The directive is reinventing banking and payments with a vision of allowing customers to access account services from different financial institutions and non-banking platforms including social media.

Millennials want what they want

PSD2 aims to drag EU banking into the era where digitally-savvy customers have expectations to be met. Simultaneously, PSD2 has the co-benefit of an opportunity to shield banking customers from cyber-fraud. Unless institutions get on board, the public may never come back to a bank's website, or regional brick and mortar branch (if any still exists). The wrong approach will only push them further towards the familiar and frictionless experiences that emerging fintech and social platforms stand ready to provide.

Many institutions aren't looking at the directive through that lens, seeing it only as a mandatory compliance process. They shudder at the idea of sharing the sensitive financial banking information they have worked to protect for decades with a platform better known for sharing ‘selfies' than handling financial transactions. Whether they like the idea or not, the stark reality is that institutions are losing out to fintech that caters to a mobile-first society.

Banks had a good run

They made a go at it for years. Banks remained competitive with re-engineered digital transactions but the schemes only created circuitous customer journeys that left customers disoriented. But they have a choice. There are ways for institutions to capitalise on what PSD2 offers in a second lease of life - while soothing the concerns around security.

Kill your password

It's time to remove passwords as the way customers prove their identity. Too much is at stake to rely on static data such as ‘one time pins' for logins or 'shared secrets' or confusing the customer journey with ‘my voice is my password' processes as safeguards.

PSD2 is a two-way street where banks and third parties must walk, in-step, to secure and authenticate customers. The street is dotted with potholes where static data can be stolen and at each intersection lies a fintech platform just waiting to take the customer on a new journey - which won't look anything like the long slog banks have dragged them along.    

Doing away with static security data will streamline and secure the journeys of a new generation of customers. These customers have no qualms against banking with the social platforms and tools they grew up using and they're tired of trying to remember passwords, which time and again they are seeing circumvented and stolen. The opportunity is in the palm of the hands of every institution. Adopt dynamic authentication of customers for each interaction they, and do it as seamless and frictionless as possible: the mobile devices we all carry.

Banking customers aren't clamoring to keep their passwords and they don't appear to be falling out of love with mobile devices. The bank customer of today welcomes much simpler, more advanced authentication methods. With the technologies available, institutions have the capability to ask a user to register their phone and prove their identification once - and then with each subsequent request to access online services, instead of asking them to remember a password or go through a convoluted and frustrating password reset experience.  Instead, they simply tap or look down at their mobile device for a secure multi-factor authentication.

High profile breaches with Uber, Yahoo! and Equifax continue to show passwords' weakness. Between phishing, key-logging malware, brute force attacks, man in the middle attacks, thefts of password databases, and the bad habit of reusing passwords across accounts, it's time to kill password authentication and give customers the open choice they want - and financial institutions desperately need.


Five waypoints on the road to killing passwords

1.      Make the mobile phone the customer's universal authentication tool. Today, there is nothing more accessible and connected to your customers' than their mobile phone.

2.      Leverage the security already manufactured into mobile devices  At the level where users access the device and at the app level, all it takes is applying a risk- based approach to how often a customer's identity is challenged.  This will typically be fingerprint or face recognition to establish ‘inherence' (something they have) or testing their ‘knowledge' (something they know).

3.      Don't rely on SMS verifications - they are not device specific and are easily intercepted by anyone who knows how to transfer phone service to a new device - a prevalent cyber-fraudster skill.

4.      Use technologies to identity who is in possession  of a mobile device. This can include relying on the device and security technologies to check a person's physical identifiers to protect against  malware-driven attacks.

5.      Decide how determined you are to confirm a person's identity. The technologies available  can bring a user down a long road of authentications as a company  determines whether to allow access or not. The key to  customer service is introducing solutions  that give satisfactory levels of probability that is it the right person on the other side of the screen - without frustrating the person on the other side of the screen

Contributed by Olly Brough vice president, EMEA, Trusona 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.