Passwords are our weakest link in the fight against cybercrime. In 2017, 81% of hacking-related data breaches leveraged either stolen, weak or guessable passwords according to Verizon’s Data Breach Investigations Report.
The numbers don’t lie — businesses need to stop relying on passwords to keep consumers secure and bring an end to soaring fraud rates. To help do this, companies like Google and Facebook are adopting FIDO standards to improve their authentication process and provide better experiences for their customers. The standards were created by the FIDO Alliance to keep fraudsters out, improve user trust, and deliver smooth login experiences.Adopting FIDO standards is a step in the right direction, but practitioners need to consider where most fraud is really happening: after the login. It may be surprising, but 100% of fraud occurs in authenticated sessions — which means that simply implementing FIDO as a one time identity verifier will not deliver the desired, continuous security inside a session.
A truly passwordless future requires passive, ongoing authentication from login to logout, to deal with threats like malware, robotic attacks, social engineering and other remote access attacks.
FIDO Standards: Getting to a Passwordless World
FIDO has two universal frameworks for stronger authentication: FIDO UAF, which delivers a passwordless experience, and FIDO U2F, which offers an option for second factor authentication. Both are based on public key cryptography to secure users at login and prevent the use of stolen passwords.
Instead of using a password to login, when a user registers with an online service, their device creates a “key” to identify their account. The user then has the option to choose how they want to authenticate going forward, for example, using a fingerprint reader on their mobile phone. From then on, all the user has to do to login is use their local form of authentication to prove possession of their unique key.
FIDO standards are a big step forward for securing login on the device level. A user’s login information never leaves the individual’s device. Credentials are never sent to or stored by a company a user transacts with. This protects users’ privacy and safeguards login credentials from criminal access. It also eliminates the need for consumers to remember lengthy passwords that are easily hacked.
However, to truly defeat fraud, businesses need to go beyond to secure sessions from login to logout.
Continuous, Next-Level Authentication with Behavioral Biometrics
Continuous authentication eliminates passwords by analyzing behavior patterns to ensure that a previously authenticated user is the same person throughout the lifetime of a session. It’s not how a user logs in to a session, but their interactions with a device or an application in real-time.
Based on user profiles, continuous authentication uncovers fraud by picking up on suspicious behavior during a session. Every person, RAT or malware attack interacts uniquely, meaning abnormal behavior is a give away for fraud in progress.
All this takes place in the background, so users are secured without the disruption of escalations for further authentication. Behavioral biometrics provide the security businesses need to phase out passwords once and for all, detect and prevent fraud, and provide less-obtrusive user experiences.
Case Study: Samsung SDS Adds Behavioral Biometrics to FIDO-Compliant Authentication Solution
Samsung SDS America is leading the way toward a passwordless future within the mobile banking and payment applications space. To better secure users, Samsung SDS integrated behavioral biometrics into Nexsign, their FIDO-certified biometric authentication software platform.
As we know, fraud occurs after login and FIDO without continuous authentication is not enough to stop cybercrime. By incorporating BioCatch behavioral biometrics, Nexsign can flag fraudulent behavior that occurs within authenticated sessions and still operate within the boundaries of FIDO compliance. The BioCatch solution monitors more than 2000 behavioral specifications during a session, ensuring that a mobile user is in fact who they say they are. Should fraudulent behavior be detected, the system will require a step-up authentication through an additional biometric test, like fingerprint paired with or face or voice recognition.
This capability is a major differentiator for Samsung SDS in an increasingly mobile world. First, entities that build solutions with the Nexsign SDK will be able to detect and stop fraud throughout the entirety of a session, after login. Second, consumers will experience seamless authentication with biometrics, rather than passwords, and with even better security.
Learn more about why banks are turning to biometrics for authentication as passwords continue to fail in our webinar with Samsung SDS and Thompson Reuters.
The steady drumbeat of data breaches and rising rates of fraud as a result of password failure mean that businesses know current authentication processes are flawed. It’s time to take action.Learn how BioCatch can eliminate your company’s reliance on passwords and secure user sessions from login to logout with continuous authentication.