Authentication of a platform -8th newsletter by BhatiaBytes
Vishal Bhatia
Chief Digital Officer @ Canara Bank | Digital Strategy and Transformation |CTO in Kotak Cherry | IDFC Bank, Societe Generale, Infosys| 24+ years of experience across Technology, Fintech, Digital across all Banking domain
Welcome folks to the 8th newsletter of BhatiaBytes. Covering the most important part of any platform which is Security and Convenience. There are Top 5 authentication methods you will see in any platforms. Here covering a comprehensive list of authentication methods that provide both security and convenience during any journeys for a platform.
1. BIOMETRIC AUTHENTICATION METHODS
Biometric authentication relies on the unique biological traits of a user in order to verify their identity. This makes biometrics one of the most secure authentication methods as of today. Additionally, it causes less friction during the authentication process in comparison to previously mentioned methods, making for a great user experience. Most common identifiers include fingerprint scans, facial recognition, and voice-based identification.?
PROS
Hard to spoof?– biometric identifiers such as fingerprint and retina are unique by definition for each individual. Also, when combined with?Dynamic linking?(i.e., adding additional transaction data in authentication data), spoofing is almost not feasible.
Simple to use?– does not require memorizing various PINs and passwords, a straightforward authentication process.
Fast and reliable?– biometric authentication provides more security and is less time-consuming.
CONS
Privacy concerns?– one of the major issues users have with this method is privacy concerns. Even though this feeling is very subjective, it prevents a significant number of cardholders from using it. Biometric data are stored in a trusted environment, encrypted and inaccessible to regular operating systems.
Possible errors?– errors including false acceptance and false rejection of an authentication attempt.
2.?QR CODE
QR code authentication is typically used for user authentication and transaction validation. A typical flow for transaction verification starts with the user logging into their internet banking web application and opening a payment order. The internet banking application offers the user to process this payment using a QR code presented on the screen. To process the payment, the user needs to scan the QR code with their smartphone using authenticator software (can be apart of their mobile banking application). To finalize the payment, the user is presented with transaction details and, upon inspecting the validity of the showcased data, the user additionally confirms the online payment.
PROS
Simple to use?– the authentication process is straightforward.
2FA proof?– easily combines with other authentication factors for increased security.
No additional hardware?– independent from third-party hardware.
CONS
Lack of familiarity?– the general public is not widely familiar with this particular authentication method, resulting in a possible poor customer experience.
Device dependence?– requires the use of smartphones alongside correct reader software capable of scanning the QR code.
3. SMS OTP
This simple yet effective authentication method involves sending an SMS message to the user's mobile phone, containing a one-time password used for finalizing the authentication of online payments.
PROS
Simple to use?– the authentication process is straightforward.
Access?– in case of suspicious activity, only the user who has the device in their possession can verify the transaction's validity by entering the received OTP.
领英推è
Familiarity?– SMS OTP is one of the oldest forms of two-factor authentication, making it widely accepted by both users and security protocols.
CONS
Data network requirement?– if a user is unable to use their phone network (e.g., the connection is down), they won't be able to receive the OTP. Also, SMS OTP delivery might not happen in real-time, causing a delay, and the authentication time could run out.
Compliance?– SMS OTP authentication is not entirely PSD2 compliant, e.g. if a mobile phone is not in possession of its rightful owner, the fraudster can easily receive SMS OTP on the stolen device and process a transaction.
4. PUSH NOTIFICATION AUTHENTICATION METHOD
A push-based authentication system sends a notification to an app on a user's device, informing them about an authentication attempt. The user is able to inspect the details of the authentication attempt, and based on their knowledge about an, e.g., the transaction taking place, either confirm or deny request verification.?
PROS
Simple to use?– if the authentication details do not raise any suspicion, the user simply confirms the authentication request.
Efficient fraud protection?– push-based authentication enables simple implementation of Dynamic linking, which proves to be efficient in preventing phishing and MITM (man-in-the-middle) attacks.
Low cost?– this method leverages user's existing mobile phones, eliminating additional hardware costs and maintenance costs.
CONS
Data access?– notifications are sent through data networks, so in order for this method to be applied, the user must have data access.
Security issues?– the user might accidentally approve a fraudulent transaction because of our habit of automatically approving incoming notifications.
Dependency?– Push notification authentication demands having an appropriate mToken application installed on a user's device, as well as mToken activation, i.e., it requires certain actions to be undertaken in order for the authentication method to be available to the cardholder.
5. BEHAVIORAL AUTHENTICATION METHOD
Behavioral authentication verifies a user's identity based on unique patterns recorded during interaction with devices (e.g., smartphone, tablet, computer). Identification factors include everything from the angle at which the user is holding their phone to pressure applied while typing. This type of authentication method allows for a genuinely frictionless experience without having to worry about the level of security it is providing the user with.
PROS
Simple to use?– straightforward authentication process.
Hard to spoof?– just like the fingerprint and retina are unique by definition for each individual, the same applies to the way a user interacts with their device.
Great user experience?– the authentication process is passive, and friction is out of the equation.
CONS
Case sensitive?– can be affected by the user's physical state and emotional behavior.
Invasion of privacy?- major issue users have with this method is privacy concerns. What disturbs users the most is not knowing what data is actually collected, who has access to it, and how it is going to be used in the future. How far is too far?