For Net Banking transactions, OTP continues to be a very popular 2-factor authentication mechanism. The primary device being used is a desktop computer or a laptop. The one-time password is being sent on a completely different device (out-of-band) and hence it serves as a strong 2FA approach. For Mobile Banking transactions, the primary device used for transactions and the device for receiving OTP is the same. So, this is not out-of-band. Hence it may be considered as a weak 2FA approach. How do different companies resolve this problem ?
One of the earliest and perhaps most reliable mechanism is to use a Hardware Token. This HW Token can generate a random OTP even while not being connected to any network. This random OTP will be compared at the server to check if the HW Token indeed belongs to the same person. If mobile is the primary device, the HW Token becomes the second device. Hence it is out-of-band and therefore serves as a Strong 2FA.
There are other possible approaches such as Fingerprint Authentication, Iris Authentication, Face Recognition Authentication, Voice Biometric Authentication, Cardiac Parameter Authentication, FingerVein Authentication etc. In all these cases, the approach is to add a parameter “What you are?”. One of the dangers of “What you are” method of authentication is that it is permanent and cannot be changed. All biometric parameters are attached to the person’s personality and hence cannot be altered. If compromised due to any weak link, this biometric parameter will suddenly become the weakest authentication link and can be an entry point for fraudsters. Hence a biometric only method of authentication is not preferred by end-users for critical financial transactions.
Yet another approach would be to combine two different biometric parameters intelligently. Eg. Voice Authentication combined with Face Recognition, OR Iris Authentication combined with FingerPrint Authentication. Let us assume that two different biometric parameters may not get compromised simultaneously unless brute force is used such as kidnapping a person and forcing him to part with these parameters. The combination of 2 biometric may find high acceptance amongst both banks, vendors and regulators since it raises the bar higher and makes it difficult to commit fraud.
If two biometric parameters offered by two different vendors are to be managed intelligently based on context, profile, history, location, device etc., we may need a third entity or a service provider to provide the required orchestration, business rules, usage statistics and billing. Such service providers come under the category of AaaS – Authentication as a Service. The primary role of AaaS vendors would be provide the answer to the vital question, “who are you?” using the best possible verification and identifcation methods. Identity Access Management (IAM) can be defined as the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.
In the long run, Mobile Banking vendors who have experience in implementing IAM or Authentication Service are likely to be more successful than others since this has a direct bearing on customer confidence, fraud prevention and hence higher limit for mobile based transactions.
Mr. Chandrashekar Rao has over two decades of experience in Telecom, Software and IT Product Development. He is an M. Tech in Communication Engineering from IIT, Mumbai and is a specialist in Mobile Banking product development & delivery.