Choosing the Right Multi-Factor Authentication Tools for Your Credit Union
By Robert McGarvey
The multi-factor authentication tools your credit union implements may win you members – but the wrong ones just may cost you members while driving away mobile and online banking users. It’s also very, very possible that soon authentication will become a key battleground in member retention.
That’s how important multi-factor authentication (aka MFA) has become in today’s financial services.
Passwords plainly are broken. Between epidemic breaches – Equifax for instance – and rampant user laziness (such as using the same password at multiple sites), a password alone is not adequate protection for most accounts involving money.
Enter multi-factor authentication which, often, rides on top of a password. The password may be adequate for low value tasks but when bigger money is on the line, it’s time to bring out multi-factor to provide beefed up protection.
FFIEC provides interesting insights into the role of multi-factor authentication in financial institutions: “A common example of two-factor authentication is found in most ATM transactions where the customer is required to provide something the user possesses (i.e., the card) and something the user knows (i.e., the PIN). Single factor authentication alone may not be adequate for sensitive communications, high dollar value transactions, or privileged user access (i.e., network administrators). Multi-factor techniques may be necessary in those cases.”
Plainly we have entered an age where consumer expectation about the availability of multi- factor has vaulted ever higher. Personally I use multi-factor on Amazon. I also have it setup on Google. So of course I expect it, and use it, at Affinity Federal Credit Union.
Understand this however: there is ample evidence that many consumers rebel against MFA that is deemed too cumbersome, too much of a hassle. It’s something of a double-bind. They want to feel protected by their financial institution but they also don’t want to feel hassled.
Yet good, trustworthy MFA increasingly looks to be critical in fueling credit union account growth, especially usage of lower cost digital channels (online and mobile). But lots of Americans shy away from online and mobile banking because of fears of data insecurity in the digital channels. Multi-factor can be the cure.
Mark this as a key 2017 challenge: offering members MFA they will use, gladly, and that leaves them feeling their financial data are safe.
That is easier to say than to deliver.
Increasingly, multi-factor offers a choice among something the user knows (a PIN perhaps, or a favorite teacher in grammar school), something the user has (a cellphone perhaps or an ATM card), and something the user is, that is, a biometric solution and gaining traction there are fingerprints of course – think Apple Pay and Touch ID – but also retinal scans, which have gained popularity at money center banks (particularly Wells Fargo).
More attention nowadays is going into biometrics because, thanks to Apple, more of us are comfortable using a biometric tool to perform a financial task and, to most of us, biometric factors seem beyond the reach of most criminals.
What should you offer? Best advice is to offer members a choice of multiple tools and let the member decide. Some people still think retinal scans are creepy, others have seen it at high security office buildings and like them. There is no disputing member tastes.
Put out a menu of maybe five or six tools and let members decide what they like.
Key is that what they use cannot seem intrusive or a hassle – to them. They get the only vote that counts.
Also good are protective tools the consumer may be unaware of, such as looking for trusted, known devices and trusted, known locations. When a member who lives in Phoenix, AZ is signing into a sharedraft account at a local credit union, that institution can breath easier when it recognizes the computer and the member location – and the member has no need to know these checks have been made.
Key also is providing flexibility. A member may like using voice as a biometric when signing into the credit union in the early a.m. from home – but probably would think it weird when signing in from a busy Starbucks at noon.
Give members choices and they will use them.
Also stay on top of news developments and, definitely, there is news in the multi-factor space.
A sore spot to watch is SMS which, frequently, figures into multi-factor authentication, where a PIN is sent to a registered cellphone number. The user then inputs that PIN at a banking site. But – increasingly – there is evidence that smart crooks have figured out how to simply steal cellphone numbers and thereby hijack the SMS traffic. Worries are big enough that the National Institute of Standards and Technology (NIST) has begun to back away from SMS, as awareness grows that the safety of the cellphone channel is in doubt.
Right now, cellphones and SMS remain integral in the multi factor techniques deployed by most financial institutions but smart money is betting that will change unless cellphone carriers impose better processes to safeguard number transfers.
Note: this author recently transferred a number from one carrier to another and from one device to another and, frankly, the process was frictionless – which has to raise security worries. But – again – it would be easy enough to erect some hurdles in the process and that might restore confidence in cellphone SMS.
The message there: stay on top of developments. Crooks are energetic in hunting for new weaknesses to exploit. Credit unions have to be as energetic in their self-defense tactics.
Want more ideas about what tools to use? Good advice is to look at leaders in the field and recent ratings from Javelin Strategy & Research heap particular praises on USAA, Wells Fargo, Bank of America, Bank of the West, and Fifth Third when it comes to preventing fraud involving member accounts. Only the very largest institutions were compared so don’t look for credit unions.
Are your tools in the same class? They should be. That’s how to keep members.
Meantime, CU-2.0’s Kirk Drake pointed to emerging tools that credit unions need to know about. Said Drake: “Using things like DAON, AnchorID, DUO, Averon, etc. really allow you to elevate the member experience while increasing security.”
The point: credit unions have a growing number of authentication options. New ones are emerging. Learn about them, use them. This just may become a key battleground in member retention in the years ahead. Falling behind is not an option.