A few months back (just after the Covid pandemic had started) an important change was implemented by a popular retail US Bank, Bank of America. This was regarding how their retail net-banking customers would be logging into their banking account.
All users of this bank can now set up an additional security measure during login in the form of a one-time authorization code, that would be sent to their registered mobile. This will be in addition to their user id and password. In the case of some users who are deemed to have a security risk during login (due to their high-risk score presumably arrived due to their inconsistent login patterns), this process has been made mandatory.
Since the bank had suspected that post-covid the number of internet logins and transactions is going to be high, they probably implemented these changes to protect attempts to hijack genuine customer accounts by fraudulent means by hackers.
This shows that the era of Multi-Factor Authentication (MFA) has truly arrived and is here to stay. Previously MFA was used only when bank transactions were performed by users, but now they are required even during the login process.
The bank was using security questions as a second factor, but now probably had deemed that as risky, as typical user answers for popular security questions of theirs, can be lifted from their social media accounts by hackers.
So where does this lead to? Probably, to the next stage of MFA, which is Adaptive MFA in BFSI.
What is Adaptive MFA?
When a user login into a bank, several patterns about the login can be measured by the bank. They can use this data to protect the customer from phishing and other hacker attacks. Like the typical time of the day the user logs in, the network & computer the login happens from, the Geolocation (GPS location) the user logs in from, the time they typically spend during the login, the type of transactions they normally perform, etc.
With this wealth of data in-store, the banks can now assign risk scores for each activity through AI (Artificial Intelligence) and ML (Machine Learning) methods. If during any login there is an abnormal risk score detected for the user, an adaptive MFA authentication can be triggered. That is, the user during that login session would be made to go through additional factors of authentication as part of their MFA Auth, for example, an OTP coupled with a Push based authentication sent through to the user’s mobile app, plus a security question or even a phone call based verification. This helps to control or even eliminate the fraudulent access by a hacker, as it begins to happen.
How this prevents fraud?
During adaptive authentication, the key element to note is most of the factors that are used for authentication are instantly generated, so the hacker would not be knowing all the details of the authentication sequence and credentials in advance, for them to execute a phishing attack on the authenticated session of the user. Even the user would not know these in advance for the hackers to target gullible users to get credentials from them, before the login.
What are the other adaptive authentication factors that can come into play?
MFA is normally performed by:
• factors that the users know (passwords, security questions, pre-stored user-approved picture patterns and code numbers),
• factors the users have (like OTP, mobile push authentication, google authentication) and
• factors that define who the users are (biometric authentications like retina scan, fingerprints, facial recognition).
Out of these the first set of factors “the one the users know” are under severe attack by the hackers. Hence banks will resort slowly to the second and third categories of authentications mentioned above. These two categories of factors will be hard to pry out or reproduce like the passwords or security questions, for the reasons mentioned above.
What are the challenges in implementing Adaptive MFA?
The primary challenge is how to protect the user experience. Users normally do not like too many restrictions just to get to their bank account. Also, not all users are computer or mobile-savvy. For example, the bank in the question above has instructed the users who do not have a mobile phone or do not have a valid phone number in the file, to call the bank to get authenticated.
While this may work temporarily, this cannot be done by the user every time as the waiting times for such calls are high. So, the banks have to arrive at the right mix of technology and user convenience to implement secure MFA login at the right cost to the user.