Recently, there's been an uptick in the adoption of the NIST Cybersecurity Framework, a set of guidelines aimed at helping organizations improve their overall cybersecurity process. In December 2017, NIST released the second draft of its framework. Among the updates were two critical additions to the Identity Management, Authentication and Access Control guidance.
Identity and verification are interlinked concepts which have a critical role in the continued digital evolution of retail banking. From showing photographic ID to completing a transaction in person, to demonstrating proof of address when applying for a financial product, customer ID&V is something long-familiar in retail banking. But these methods of identification and verification still rely on the presentation of a physical document, a practice which defies the nature of digital banking, and conflicts with its main benefits like convenience, speed and remote access. Consumers are abandoning the branch in favour of mobile apps and online banking. Banks are now in a situation where traditional ID&V methods are being quickly redefined for the digital banking era, especially with the forthcoming PSD2 evolution.
Online threats are constantly evolving, so it's often difficult, even counterproductive, to compare how useful a security control is in today's threat environment to the threat environment of a few years ago. But it's important to stay on top of whether so-called cybersecurity "best practices" are actually protecting people, especially because there's so little good empirical data available about how effective they are. We just recently received some new data from Google suggesting that multifactor authentication may not be as useful now as it once was--but that doesn't mean you shouldn't use it. It just means that attackers may be changing their methods to routinely circumvent the now ubiquitous log-in technology that was supposed to save us from all but the most sophisticated phishing attacks. Multifactor authentication has been a go-to cybersecurity recommendation for organizations across the public and private sectors for at least five years now. Unlike password length and complexity requirements, which just helped protect users from dictionary or brute-force attacks in which attackers tried to guess passwords using common combinations of letters and numbers, multifactor authentication goes one step further to protect against phishing attacks.
Ben Dickson is a software engineer and freelance writer. He writes regularly on business, technology and politics. The fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication (2FA) and multi-factor authentication (MFA) as a means to ensure online account security and prevent fraud has been a hot topic of discussion. Technological advances, especially in the mobile industry, have created new possibilities, and manufacturers and vendors are offering various multi-factor solutions in the domain of biometrics, physical tokens, software tokens and mobile codes.
Seeking to boost the effectiveness of multi-factor authentication, identity management vendor OneLogin Inc. has released an adaptive approach that leverages machine learning to gauge security risks and implement appropriate authentication levels. The San Francisco-based company that also specializes in cloud identity and access management said its machine learning capabilities would allow users to detect increasingly sophisticated security risks that are often missed by "simplistic" multi-factor authentication. The machine-learning tool helps determine the number of authentication factors (usually a password and numeric code sent via text messages to a mobile phone) needed to secure systems depending on the risks. The system prompts users to authenticate with multiple factors when risk is higher. The goal, the company said, is to balance "security and usability."