The Importance of Decoupling MFA & Channel Independence for your Business

Authentication experiences

Consider a typical banking customer’s reaction to the sum total of their authentication experiences. More often than not, their authentication will differ across the various service delivery channels.

  • Internet Banking asks for a username and password
  • Mobile Banking asks for an App PIN or biometric (fingerprint, face, iris)
  • Telephone Banking asks for a passphrase that’s often forgotten or hasn’t been setup
  • ATM and Point-of-Sale terminals asks for a Card and Card PIN
  • Business Banking and high-value payments ask for a smartcard or security token
  • Contactless payments ask for a Card Tap, Phone Tap or Smartwatch Tap
  • Card-Not-Present eCommerce payments ask for the Card number, expiry and the CVV number printed on the back

Authentication experiences vary and multiply as the customer uses more services delivered through different and new channels. But does it have to be that way? After all, aren’t they all trying to do the same thing – verify that it really is the customer at the other end?

This is not a new question, SSO and IDAM products do a good job of unifying the authentication experience on the internet browser-based ‘channel’ but are inherently bound to that channel and therefore don’t solve the varying authentication experiences across ALL service delivery channels.

The same applies to the authentication experiences around cards for example – ATMs and Point-of-Sale terminals interact with the card as part of the authentication, but they too are bound to their channels – you can’t tap your card on your desktop to authenticate a login to Internet Banking the same way that you can tap your card on a POS terminal to authenticate a purchase. Nor can you type your IB username/password into a POS terminal to make a purchase.

For the most part, the function of ‘authentication’ has always been baked into the service delivery channel to secure the interaction with the customer. So the challenge is to decouple the authentication from each channel and have a common authentication experience.

Thanks, I hate it.
Image: The IT Crowd

‘Channel independent’ authentication

As the title suggests, what I’m alluding to is a ‘channel independent’ authentication experience. A single dedicated authentication channel with a single authentication experience that is common to all the various service delivery channels.

Where, the customer’s authentication experience is the same whether it’s Internet Banking, Mobile Banking, Telephone Banking, ATM, POS, or e-Commerce. A single authentication experience means –

  • A better customer experience. Infrequently used channels use the same authentication method – no more forgotten telephone banking passphrases and helpdesk calls to resets passwords
  • No more customer circumvention of security to avoid undesirable authentication experiences
  • No more customer abandonment to avoid the authentication experience
  • Future proofing for new channels and service delivery methods where the authentication is already in place for the new channel to use for rapid deployment

“Dry land is not a myth…I’ve seen it!”— The Mariner from Waterworld

So can this be done or is this all theoretical?

“Dry land is not a myth…I’ve seen it!”

Yes indeed, it can be done. In fact, it’s fairly straightforward in terms of the current technology and customer adoption willingness in order to support a channel independent decoupled authentication experience.

The requirements on the ‘technology’ side are –

  • Decoupling from the service delivery channel
  • A security device that the customer is always going to have with them
  • Two-way direct communication between the Bank the customer’s security device
  • Robust and free-format authentication details in the two-way communications to cater for any authentication use case from any channel
  • Meeting the security requirements of all channels relying on it

In terms of technology, there are mature products in the market that can implement this, often a case of re-purposing products already in use. It’s more to do with the adoption of the concept of an ‘independent channel for authentication’ and a single authentication experience.

It would be remiss not to mention SALT’s Safetronic product capability in this area given one of the key use cases is as an ‘independent channel for authentication’. We’ve been talking about this concept as far back as the ‘Jurassic’ era for mobile phones when Nokia dominated. Fast forward to today where Safetronic is deployed in the field as an independent channel for authentication for Internet Banking, Mobile Banking, ATM and eCommerce 3D-Secure.