How Banks Verify Users: The 3 Authentication Factors

Introduction

User verification has always been a challenge since the inception of trade and finance. In fact, it is a core requirement for people to conduct business with those they are unfamiliar with.

The difficulty in authentication has led to various methods of identity fraud, from eavesdropping on confidential information to forgery and outright impersonation. As a result, combating fraud is a constant challenge for the finance sector.

A Quick History of Trust

So, how do banks ensure that a customer is trustworthy, genuine, and legitimate in an age where credit scoring was not widespread?

Memory and Physical Presence

• Before banks existed, goods and livestock were stored in temples.
• Priests were among the few who were literate, allowing them to keep written records of transactions and deposits.
• The process was highly manual and subjective, with priests relying on memory and reputation to recognize a person’s ownership of an account.
• Family members and friends could vouch for a person if they both physically visited the temple to make an endorsement.

Signatures

• The tedious nature of user authentication persisted until the medieval ages when bills of exchange were invented – the precursors to the cheques we know today.
• This is when stamps and signatures served as an authentication factor. A person could be verified via an authorized letter of recommendation.
• Signatures go beyond user verification, giving a document or item inherent value — from autographed memorabilia, a certificate paper, or a contract.
• Forging signatures and counterfeits became a serious offense that is heavily punishable. While it serves as a deterrent, it did not stop people from the practice entirely.

The 3 Authentication Factors

The trust landscape today presents numerous challenges for digital businesses. Private user information is leaked regularly along with the rampant occurrence of new account fraud or synthetic identity fraud.

Companies are often unsure if the user accounts stored in their databases are genuine. For the banking sector, stringent authentication policies became a regulatory requirement. This uncertainty makes it difficult for businesses to make data-driven decisions and, if left unchecked, could represent a significant vulnerability.

The three-factor authentication model was developed to provide a more secure way of verifying users. These factors are:

1. Something you know: Includes information that only the user should know, such as a password, PIN, or security question answers.
2. Something you have: Includes physical objects that the user possesses, such as an ATM card, a mobile phone, or a hardware token.
3. Something you are: Includes biometric data unique to the user, such as fingerprints, facial recognition, or voice recognition.

These factors can be used individually or in combination to provide a more secure authentication process. The more factors used, the higher the level of security.

Single-Factor Authentication

• The most basic form of authentication.
• Only requires one of the three factors to verify a user’s identity.
• Examples include using a password to log into an online banking account.
• While convenient, single-factor authentication is vulnerable to various attacks, such as phishing, keylogging, or card skimming.

Two-Factor Authentication (2FA)

• Involves the use of two authentication factors to verify a user’s identity, providing an additional layer of security.
• Examples include using an ATM card (something you have) and a PIN (something you know) to withdraw cash.
• 2FA significantly reduces the risk of unauthorized access, as attackers would need to compromise both factors to gain access.

Three-Factor Authentication (3FA)

• The most secure form of authentication, requiring all three factors to verify a user’s identity.
• Rarely used in everyday banking transactions due to the complexity and inconvenience involved.
• Examples include high-security facilities or high-value transactions where the risk of fraud is exceptionally high.
• 3FA provides the highest level of security, making it extremely difficult for attackers to compromise all three factors.

The Future of Authentication

As technology continues to evolve, so do the methods used for authentication. Some emerging trends in user verification include:

Device Binding

• Associates a user’s account with a specific device, such as a smartphone or computer, by creating a unique identifier. This ensures thataccounts can only be accessed from the registered device.
• Device binding is convenient for users, without requiring additional authentication to access such as passwords or biometrics.
• Suitable for low-risk activities, such as online account access.

Risk-Based Authentication

• Uses machine learning algorithms to analyze various factors, such as device information, location, and transaction history, to determine the risk level of a transaction.
• If the risk level is deemed low, the user may only need to provide a single authentication factor.
• If the risk level is high, the user may be required to provide additional authentication factors or go through additional verification steps.

How Innov8tif Supports the Industry

In today’s digital landscape, enabling multi-factor authentication requires a multi-faceted technology approach. Banks often have to source piecemeal solutions from different suppliers for each authentication factor.

Hence, Innov8tif has developed the Customer ID Assurance (CIDA) framework which integrates both proprietary and partnered solutions into a cohesive ecosystem. CIDA enables large banks and small SMEs alike to scale their authentication system according to ever-changing business requirements.

To learn more about Innov8tif’s authentication solutions visit our wikipage for more information.