Multi layered Authentication to tackle security threats

As digital transactions increasingly pervade our lives, the threats arising from fraudsters in the form of phishing, hacking, spamming, password stealing etc., the risk of exploitation of the inherent vulnerabilities of software has increased manifold. In fact, anti-virus programs and cyber-security software are as much a growing industry as the emerging technologies that they seek to protect from the ever growing “threat industry”. There is a predator-prey game underway, akin to one in the natural world where natural selection continually equips both prey and predator to evolve into more powerful species. But when it comes to cyber security, there is no scope for random protection, because the cost of insufficient protection could be catastrophic.

Cyber-security in banks can be implemented at multiple levels, including securing the transaction itself or enabling adequate security at the user level which seems to be the most vulnerable point in a transaction. Secure protocols (e.g. https, ssl) are de facto built into banking applications these days and they make transactions secure by providing encryption. But it is at the user level that cyber security needs the most stringent implementation. Because the user typically resorts to using login and password on a device, it is vulnerable to snooping, caching of passwords and other forms of stealing the details. This kind of authentication is called one factor or knowledge factor authentication and for this the user must know the login and password. Since login and passwords can be stolen by various means, a 2-factor authentication should be employed to secure them robustly. The second factor goes by the name of Possession factor which refers to what the user must have in their possession to logon. This could be a token in the form of OTP received on a mobile phone or obtained using devices like Secure ID.

For even greater security threats, a strategy could be to secure the device or the user logon screen itself from unauthorized access by using the user’s biometric data like finger print or iris scan or voice recognition. This 3rd level of authentication is called Inherence factor authentication.

A fourth level of authentication for increased security can be considered, albeit at the risk of inconveniencing the user. The fourth factor is called the Location factor, and it involves using the user’s location which is most likely afforded by the GPS on the logon device, typically the mobile phone. So by combining, geography, biology, technology and user-defined ways, cyber-security can be increased many times over, as each additional layer only makes it harder to hack even if one layer is prone to be breach.

In general, adding more layers of security increases security, and cyber-security is headed in the direction of adding it by disparate means. While this is well intentioned, it will be cumbersome for the customer if the authentication results in too many false negatives. We often see that due to bugs in the decoding software or lack of robustness on the sensing devices, detection by iris or voice or fingerprint can erroneously lead to access not getting granted. This is issue that banks may have to confront in the days to come as cyber-threats loom large and banks have the unenviable task of both securing the customer logon and giving the customer a friction-free transaction experience.