Effective Authentication Happens in Layers

There's a conspiracy theory out there that Facebook is listening to us. For example, let's say someone is talking about their leaf blower being broken and within a day ads for leaf blowers are showing up on their feed. Marketers have gotten quite clever with their targeting, whether it's through "big brother" as we imagine or not. Shopping is happening all of the time and consumers are becoming more trusting of shooting payments off to merchants they know nothing about. While most of these are likely safe, it does create a very simple opportunity for bad actors to fake an eCommerce store and steal member information. As eCommerce grows, so must the layers of security protocols.

What is Factor Authentication?

In 2001, the Federal Financial Institution Examination Council (FFIEC) required financial institutions to perform risk assessments of their electronic banking products and services. Credit unions were expected to implement stronger authentication procedures for high-risk transactions, but they had considerable leeway regarding the authentication methods they chose to implement. In today's very online world, the average credit union member executes risky transactions daily, and so much of their data is intertwined that increased attention must be paid to even the smallest transactions.

In order to access to an account online, a user must prove who they are and that they have ownership of the account. There are generally four acceptable authentication factors that can be used:

• Knowledge - This is a factor the member knows, like a password, username, PIN, or address.
• Possession - This factor is something the member can access via a device or object within their possession, like a text sent to their phone via SMS, a security token, or a card verification value (CVV) code. 
• Inherence - This factor is something that is part of the member inherently, like a fingerprint, facial recognition, voice recognition, and other biometrics. 
• Location - This authentication can be based on where the member physically is, like using the IP address on their laptop or GPS location. 

What is Single-Factor Authentication?

Single-Factor Authentication (SFA) is a security measure where the user provides one factor--this may be a password or passcode--to gain access to their account. It creates only one barrier to enter for someone looking to hack into your data. This is generally a Knowledge factor. While this was once enough, passwords have become a weak link. Most users have so many passwords that they will reuse the same one or same formula again and again. People looking to get into member accounts will rely on this, so a password alone is no longer enough.

What is Two-Factor Authentication?

Two-Factor Authentication (2FA) combines the SFA piece with another layer that is delivered in real-time to the user looking to gain access via a Possession factor. This can be a security code that is emailed or, sent through text messaging via SMS message. These codes are often for one-time use, and will expire within a time limit after being sent. As factors are added to the process Multi-Factor Authentication is created.

Multi-factor authentication provides enhanced member account security compared to a password only approach or answering security questions. The focus of 2FA is to make it difficult for cyber criminals to get the second authentication factor and drastically reduces their chances to succeed.

Depending on what your core processor offers, ideally you want to be able to customize and define the member authentication factors that you apply so that they fit with your member experience and technology available.  

As eCommerce services increase in use, it is up to your credit union to provide adequate safeguards for your member information to prevent fraud and theft. Learn more about Two-Factor Authentication Services with FLEX by clicking below.