The username and password began to appear with technologies back in the 1960s although some might say they even date back two thousand years.
Over the past half century we have also added more security systems for banking. The start of change was when we introduced a 4-digit PIN for getting cash. Funnily enough the inventor of the ATM thought this would be hard for people to remember.
The ATM made its debut at Barclays’ Enfield Town branch in north London in June 1967. Its invention is credited to British inventor John Shepherd-Barron, and was first launched with Barclays Bank back in 1967.
But the PIN wasn’t invented by Shepherd-Baron himself, but by his wife. Originally, he had suggested a 6-digit PIN, but his wife Caroline said that a 6-digit PIN was too difficult to remember, and she could only remember 4-digits. That’s why most cards today have a 4-digit PIN.
Obviously, over time, technology has developed to the stage where we are far more advanced. Or are we? In the 2020s, surely passwords and PINs are dead? The issue is that they are too easily cracked.
Today, most of the time, we are asked for a username and password. People often forget passwords or use the most basic ones, like Password1!. As a result, for many, their usernames and passwords can easily be hacked. The same with a PIN like 1234.
Therefore, it is interesting that banks introduced additional security, such as key fobs with one-time passwords (OTP) for improved authentication. Called two-factor authentication (2FA), many customers did not like such security keys as it added additional work to access their bank account, but then others appreciate it makes the bank more secure.
However, it still did not overcome the exposures to access, as criminals are pretty clever at working out ways to break into the bank as that’s where the money is.
Luckily, smartphones introduced biometric authentication using finger and, more recently, facial recognition. In addition, smartphones allowed authentication based upon location, as does the internet. You can identify where a customer is physically accessing the bank, alongside their movements. And so other layers of verification came along. Between username and password, PIN, OTP, 2FA, biometric identification and location tracking, you would think that banking would be fully secured. After all, we now have multi factor authentication based upon something you know – a PIN – something you are – biometrics – and something you have – a token.
Three factor authentication should be lock-tight and yet, even so, people still get scammed. Sometimes it is because they give away details to strangers, accidentally allow information to be shared and find they lose money. However, there is a solution that goes beyond just adding an extra layer of security…behavioural.
The aim of behavioural authentication mechanisms is to make things seamless and easy. Rather than having systems, robust as they are, that are user dependent and end up interrupting the user from their transactional flow to execute verification, the aim is to be transparent, easy and seamless. In other words DBA is not another layer of authentication, but an alternative to today's authentication mechanisms, where verifications happen in the background using data captured about the user.
Behavioural authentication has been around for a while. Some years ago, technology firms were offering banks security services based upon how the user used their keyboards! Equally, many years ago, I was talking with firms about how to look at multi-authentication techniques, and these have developed a long way since.
WSO2 talks about data-driven behavioural authentication (DBA) as a promising solution that relies on identity verification automatically performed using large amounts of customer data that's already captured through the banking process, instead of interrupting the user for multiple verifications.
How does it work?
DBA uses data captured about the customer online and compares it with historical data to verify the customer's identity, instead of asking the user for authentication information. Verification happens while the customer is digitally engaging with the bank, but as a background process so that the customer continues to consume financial services without frequent interruptions. DBA also paves the way for personalisation through the customer profile that is created for verification.
In other words, by creating a digital profile of customers through the data they share about their behaviours online and through their smartphone, a bank can authenticate without all of the overheads of the customer experience having to enter PINs, passwords and other details. Alternatively, DBA can be used as an addition to such other security methods. It is the bank’s choice.
You can read more about DBA here, and it is clear this makes banking better for both the bank and the customer.
Chris M Skinner
Chris Skinner is best known as an independent commentator on the financial markets through his blog, TheFinanser.com, as author of the bestselling book Digital Bank, and Chair of the European networking forum the Financial Services Club. He has been voted one of the most influential people in banking by The Financial Brand (as well as one of the best blogs), a FinTech Titan (Next Bank), one of the Fintech Leaders you need to follow (City AM, Deluxe and Jax Finance), as well as one of the Top 40 most influential people in financial technology by the Wall Street Journal's Financial News. To learn more click here...