License: Creative Commons image source
Companies doing business today are facing a technology paradox – advances in tech make it easier to conduct business, while simultaneously making it easier for black hats to steal money and sensitive data. On one hand, the Internet and “smart” devices, such as phones and tablets, provide advantages in marketing, distribution and customer service far beyond what was possible just a couple of decades ago.
On the other hand, these same technologies have opened the door to a much greater risk of fraudulent transactions. The Digital Revolution truly has transformed the way we do business, but the fact that data now travels as electronic zeroes and ones, allows thieves half a world away to access sensitive information and accounts almost as conveniently as the actual authorized users.
In response to the increase in security breaches, stronger authentication methods have been developed to better safeguard customer data and pre-emptively stop theft. The type of authentication chosen by each business largely depends on its specific industry and the sensitivity of the data it stores.
Here are some of the things businesses need to consider in order to best choose their authentication solutions:
- How important is the customer service experience, relative to the security need? Requiring shoppers to provide a biometric retina scan would turn away just about every consumer on a typical e-commerce site, but it would probably be acceptable for a six-figure bank transfer conducted at a branch, even if it is inconvenient.
- What is realistic from a cost perspective? USB tokens providing one-time passwords are expensive, and are probably a bit overboard for small businesses that don’t retain a lot of sensitive customer data, like social security numbers.
- How scalable is it? Physical authentication methods require manufacture and delivery of the items, making them subject to supply issues and travel time, whereas purely digital or telephone-based systems are infinitely scalable and instantly deployable.
Keeping those in mind, following are some authentication methods that might appropriate choices for specific industries.
E-commerce
E-commerce sites suffer from “shopping cart abandonment” if there are too many barriers to completing a transaction. As such, one choice that might provide adequate security while maintaining a positive customer experience is out-of-band authentication. Out-of-band uses a separate channel to authenticate the user and authorize a specific transaction, especially a high-dollar one, via a telephone call, text message, or dedicated app on a portable device, such as a smartphone.
The benefit of this methodology is that most customers keep their phones with them at all times, making the authentication process relatively simple and convenient.
Healthcare
The move towards computerized medical records leaves personal data vulnerable to remote intruders capable of bypassing a typical username/password protection scheme. In this case, a multi-factor authentication plan can be utilized to augment the basic login with an additional step, such as a biometric scan.
One feasible biometric solution would be to require a voiceprint match, as the user can simply speak into an inexpensive microphone attached to a home or office computer. Voiceprints are as unique as fingerprints or irises, but are more practical as they do not require specialized hardware such as finger or eye scanners.
Financial Services/Banking
Financial service companies, such as banks, brokerages and mortgage companies need a tremendous amount of security to protect both the finances and identities of their clients. In this case, the more robust the solution, the better, even if it proves slightly inconvenient.
To that end, a token, such as a one-time password-generating (OTP) one like the popular RSA secureID devices, can prove effective to authenticate financial professionals. Any hacker would have to possess not only the login credentials of the user, but also the physical token, as each OTP password only has a life of about 60 seconds before it can no longer be used to log in.
As can be seen, different industries require different solutions, and all must consider the end user experience. Too much security will cause users to leave a web site. Too little, and breaches happen. Finding the right balance is a tricky proposition indeed.
Robert Coulter works in the security industry for Authentify, a Chicago based firm that offers authentication methods for a wide range of industries.
