Are Banks Ready to Say Goodbye to Passwords?

Are Banks Ready to Say Goodbye to Passwords?

by March 16, 2022

Passwords have been around for decades, having first been introduced back in the 1960s as a concept of authentication to cybersecurity.

Since then, technology has evolved, consumer behavior has changed, and the cyber threat landscape has morphed into a complex ecosystem where attacks are becoming more sophisticated and rampant.

Although passwords have their flaws, including poor customer experience, and are prone to attacks such as credential stuffing, phishing, social engineering, and brute force attacks, financial institutions are reluctant to get rid of them.

This is unlike tech giants including Google and Microsoft which have been fervent believers in the passwordless trend, arguing that there are better ways to verify one’s identity and prevent fraud.

Ben Balthazar, Senior Fraud Consultant, OneSpan

Ben Balthazar

“There is a lot of reasons to argue against passwords,” Ben Balthazar, Senior Fraud Consultant, OneSpan, said during Fintech Fireside Asia’s latest panel discussion earlier this week.

“It’s seen as a hassle in user experience but also just managing passwords ends up with applying complex password policies, which are different between each application. So as a user, it becomes a real headache. Then they will force you to change your password in an amount of time.”

Password security risks

Because passwords are static credentials that don’t usually expire, they are easy targets for attackers. Plus, a lot of people reuse their passwords for multiple accounts, making these accounts at risk of a near-simultaneous compromise if a bad actor manages to get their hands on that single password, said Will Tully, Regional Head Of Fraud, HSBC.

Massive data breaches including those involving LinkedIn and Yahoo are evidence of the shortcomings of passwords, he said. In the banking sector, customers of OCBC, Singapore’s second-largest bank, recently fell for an SMS phishing scam that saw some 790 users being defrauded out of S$13.7 million, he noted.

Will Tully, Regional Head Of Fraud, HSBC

Will Tully

“There is a real risk on passwords,” Will said. “Banks are all looking at strengthening that control and stepping away from passwords.”

Though there is no doubt that identity verification needs to evolve, adoption of new passwordless methods have been somewhat slow, and that’s primarily due to technology-related limitations, said Mhel T. Plabasan, Director, Technology Risk and Innovation Supervision Department, Bangko Sentral ng Pilipinas (BSP), the Philippines’ central bank.

“Probably, the key challenge in terms of adopting the technology is that there are many applications right now that are not yet supportive of passwordless authentication,” Mhel said.

“The infrastructure can also be a challenge. And of course, multiply that by the number of apps an organization has and that can become enormous both in terms of complexity and cost.”

Not only that but getting the top management on board to embrace these new methods can also be challenging.

“Passwordless is going to be a transition,” Mhel said. “As more organizations become convinced about the benefits of passwordless authentication, moving forward, more organizations will definitely adopt passwordless authentication considering the benefits including user experience, improved security.”

Regulation can accommodate these novel authentication methods, Mhel noted, mentioning that the Philippines central bank has been an early supporters of passwordless authentication and was amongst the first jurisdictions in Asia Pacific (APAC) to introduce risk-based authentication regulation back in 2017.

Mhel T. Plabasan, Director, Technology Risk and Innovation Supervision Department, Bangko Sentral ng Pilipinas

Mhel T. Plabasan

Putting friction where it makes sense

Echoing Mhel, Will said that the shift to passwordless will require banks to move away from their “binary authentication approach” towards risk-based authentication where varying levels of stringency to authentication processes are applied to different risk levels.

“[Risk-based authentication] is the ability to judge the risk of a certain activity that you are doing online and add friction when required so that it does become more difficult to do and that we do step up that authentication level at the appropriate time,” Will said.

“In fact, any defense, including passwordless, has to include risk-based authentication as a strategy. At HSBC, we are looking heavily at risk-based authentication so we can challenge you online.”

Ben said that behavioral analytics will be a key component for passwordless methods in the future, helping detect anomalies in user behavior through a combination of data science, machine learning (ML) algorithms, and artificial intelligence (AI), and proactively catch fraud attempts.

“There’s so much more data that you are going to have that you will be feeling much more comfortable in terms of having less authentication,” Ben said.

“Ultimately, you will be able to go to a point where you have no identification at all for some basic things such as checking the balance on your mobile application.”

But in the end, it all comes down to how these new technologies are deployed and whether the right broader strategy is in place.

“Supporting technology is not just about what you are using as solutions but also the ecosystem around it would be important,” Ben said.

“The problem that we often see is that banks will adopt the right technology, they deploy it, but often incorrectly, so there will be slight mistakes in how they apply the technology, and that usually ends up with new risks that they didn’t have before. They somewhat have the illusion that the new technology they’ve deployed will solve all of their problems.”

Mhed noted that like any new technology, passwordless methods also have their own risks, especially when technologies like deep fakes could potentially bypass biometrics authentication such as face and voice recognition.

“No technology is a 100% secure,” he said.

“That decision to move to a passwordless authentication mechanism has to be supported by appropriate risk assessment and due diligence.”