Billions of dollars are spent on legacy perimeter-based security annually, yet data breaches and theft continue to accelerate. These security risks are among the threats that institutions, especially those dealing with finance, need to address. Not only will solutions protect the organization itself, but they will also ensure the trust and safety of consumers – a top five 2022 priority among VP, C-suite and other enterprise executives.

Going Password Free

For many years, we have been relying on the use of passwords and knowledge-based-access (KBA) to verify user identity before granting system access. With its addition, while MFA has helped in protecting users against many types of attacks, the attack strategies of criminals evolved to find additional ways to take over accounts and conduct data breaches and identity theft.

Modern, phishing-resistant authentication (also referred to as “passwordless authentication”) is now a leading priority to improve security. Generally, it involves a consumer-centric approach to verify user identity without the need to capture, store and transmit passwords, personal secrets and other sensitive user data. This modern authentication approach involves cryptographic keypairs combined with one-time passwords (OTPs) and device-level biometrics that verify users on devices requesting access to digital services in a way that dramatically decreased user friction related to account setup and sign-in.

The advantages of going password-free can be experienced by both the institution and the users. As it offers dramatically reduced user-friction with defense-grade security, both the user experience and enterprise performance improve significantly. Enterprises implementing modern, phishing-resistant identity and authentication report authentication success rates of 99.5%, speed improvements in account signup and authentication of 50% or more and decreases in CSR calls and password resets of 60% or more. Both users and enterprises report dramatically improved consumer satisfaction in high value operating environments and payment transactions.

Nok Nok and Passwordless Authentication

Joining multiple members of the financial technology industry, Nok Nok participated in the recently conducted Authenticate 2021. Aside from being a participant, Nok Nok also served as a presenter.

During the presentation, attendees have seen some examples of real-world applications of password-free authentication. These are all based on Nok Nok’s customers’ experience.

• Intuit TurboTax®: The partnership between Intuit and Nok Nok has addressed the former’s problem with a high level of friction during the creation of a new account. By leveraging the mobile App for passwordless Sign-Up, the company has seen a 10% increase in Sign-Up conversions. The Sign-Up time has also shown a 50% reduction.

• T-Mobile: Forgotten passwords and account pins are among the problems many users experience. By incorporating FIDO-based biometrics and out-of-band push authentication, there has been at least a 65% reduction in account recovery requests within three months.

• Fintech: Among the common problems causing friction to user experience is the complex login requirements, such as the use of passwords and SMS OTPs. Enhancing platform authenticators through FIDO passwordless authentication during web Sign-In, the Sign-In speed increased by 8x. Additionally, there was a 40% increase in users during the first month.

• Major Bank: Financial institutions are also increasingly targeted by cyberattacks, especially for fraudulent activities. The use of modern FIDO biometrics and application pins for secure access via a mobile app has helped reduce fraud incidents. The app user reviews rating has also seen an improvement. Since one-time password resets are dramatically reduced, OPEX costs of decreased SMS OTP were reduced as well.

• TEPCO Power Grid: Ensuring security is a must for the power grid. However, encouraging the use of complex passwords which are deemed “secure” slows down maintenance workers. To address this problem, Nok Nok and TEPCO leveraged modern web browser and device biometric authentication. Not only did this approach offer safe Sign-In experiences, but it also increased the speed and simplicity of account registration, account creation and sign-in as well.

Passwords have been used for many years to protect data and accounts. Despite being used for security purposes, using passwords is not always the best option. That is especially true when combatting cyber security threats. In fact, passwords can be seen as a weakness.

The Passwordless Authentication Path

Various risks come with the use of passwords. For example, users can forget about them. They are also easily compromised since many reuse passwords across different systems. Passwordless authentication is seen as a better alternative.

As the name suggests, password-free authentication includes the use of alternative authentication methods instead of relying on passwords. Common methods include the use of a secondary device or account for verification and biometric authentication.

Aside from reducing cyber security risks, going passwordless can help make reduce friction so that users will have a smoother experience. On the side of an institution, it helps reduce expenses. At the same time, it can help increase sales or the number of users.

Implementing Password-Free Authentication For Cyber Security

There are different ways of applying passwordless authentication. It is also more complex than one may think. Depending on what a company chooses, it may require having dedicated development resources for a long time.

Fortunately, working with a trusted service provider can help organizations skip some steps. In fact, with the help of a service provider, organizations can easily implement passwordless authentication for their users.

What Nok Nok Has Learned

The passwordless journey does not happen overnight. That is one of the main points Nok Nok has pointed out in its presentation at Authenticate 2021. The reasons for this include existing systems and processes being deeply rooted in security practices. It also takes a lot to develop behavior change, which is something necessary to fully adopt passwordless authentication. Additionally, the passwordless journey is typically included in a larger digital transformation.

Nok Nok also shared some of its experiences in applying password-free authentication in systems from different institutions. Based on the results of these partnerships, Nok Nok is proud to share that all companies have seen success.

Among the most notable statistics include the following:

• 10% improvement in onboarding success
• 50% reduction in onboarding time
• 6% increase in sign in success
• 78% increase in sign in speed

Going password-free comes with many benefits for both the institution and end-users. However, it is important to ensure proper implementation.

If you want to learn more about safer authentication techniques for better cyber security, contact us at Nok Nok.

Cybersecurity is one of the pressing issues that the United States is facing. Threats affect the government, organizations, institutions, and even individuals.

The Identity Theft Resource Center (ITRC) said there were 1,291 data breaches publicly reported in the U.S. from January to September 2021, affecting about 281 million individuals. In comparison, this total is 17% more than the recorded breaches during the same period in 2020.

Government Efforts: The Federal Zero Trust Strategy

To address this problem, the government looks for ways to improve cybersecurity. On January 26, 2022, the Federal Zero Trust Strategy was released. The Office of Management and Budget (OMB) published the strategy as Memorandum M-22-09. Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.

This move aims to promote a better security approach through government-wide efforts, setting a new baseline in terms of access controls. An important point to highlight is the prioritization of using phishing-resistant multi-factor authentication (MFA). Additionally, there is also a need to consolidate identity systems for improved protection and monitoring.

Understanding the Strategy

At the core of the strategy are two main focuses — the vision and actions on identity.

Generally, staff members of government agencies have to use enterprise-managed identities to get access to applications used for work. Phishing-resistant multi-factor authentication must be in place to protect said personnel against more sophisticated cyberattacks.

Three actions must be taken.

First, the agencies should have centralized management systems for users. 

Second, they should use strong MFA throughout the organization. Specifically, all agency staff members, contractors, and partners have to use phishing-resistant MFA. Meanwhile, public users should be given this option. Furthermore, it should not be required to use special characters for passwords or have regular password rotation.

Third, agencies should consider having at least one device-level signal when giving users authority to access resources. This signal is additional security alongside identity information about the authenticated user.

The FIDO Standard

Through the announcement of the strategy, the federal government also encouraged using FIDO2 standards. Thus, further recognizing the FIDO Alliance’s efforts to promote the use of phishing-resistant multi-factor authentication and reduce people’s over-reliance on passwords.

The FIDO2 is FIDO Alliance’s newest set of specifications. It includes Web Authentication (WebAuthn) specification and Client-to-Authenticator Protocol (CTAP). Learn more about the FIDO2 Project here.

The U.S. Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) recently released its updated multi-factor authentication (MFA) guide. In it, the CISA also flagged FIDO as the gold standard for MFA.

FIDO Alliance, an open industry association that aims to develop and promote authentication standards, welcomes this development. The update is aligned with FIDO’s mission of reducing the over-reliance of the world on passwords. With this and the new Federal Zero Trust Strategy, the U.S. government is seen to send a clear message that the use of FIDO standards is preferred.

Understanding MFA: What It Is

Authentication is one way of ensuring cybersecurity. It is the process of validating a person’s identity and credentials, ensuring that they are who they claim to be. To further strengthen security, multi-factor authentication was introduced. It is also known as two-factor authentication. 

As the name suggests, it includes a combination of authentication methods. For instance, a user wants to access their bank account online or through their bank’s mobile app. They will have to go through MFA, which uses knowledge, possession, or traits.

Having multiple steps makes it harder for hackers to crack, steal, or compromise accounts.

Enabling MFA

The CISA offers a detailed guide — from the planning to the execution phase. Organizations can use this to strengthen their authentication process. 

Its latest update on the MFA guidance, however, emphasized ways of enabling MFA. Among the different forms of authentication that the agency enumerated are text message (SMS), email, authenticator app, and push notification.

Additionally, the CISA mentioned the use of the FIDO key. 

Fast Identity Online (FIDO) refers to a set of standardized authentication protocols that can help ensure cybersecurity while reducing reliance on passwords. It is built into the major browsers and phones. Meanwhile, the FIDO key refers to a portable security key. It is a hardware device to be used as an additional authentication method as part of an MFA. You can think of it as an encrypted version of your house key. 

Using these security measures can help make it more difficult to access information. It is especially needed nowadays as passwords and usernames are often compromised by various attacks like phishing and more sophisticated password cracking techniques.

Furthermore, CISA recommended using multi-factor authentication on email accounts, financial services, social media accounts, online stores, and even on gaming and entertainment streaming services. The agency also encouraged consumers to request companies and organizations to enable MFA for better security. 

As technology advances, so does cyberattacks. Hackers find more sophisticated ways to overcome cybersecurity. To protect data and information systems, organizations use authentication.

What It Is

Generally, authentication refers to the process of recognizing user identity. It is often seen at the start of applications.

Different credentials may be involved. These can be categorized into three. 

The first one is knowledge. The application or system will ask for something the user knows. It can be a PIN or a password.

The second category is possession or something that the user has. It can be an authentication application or SMS-based one-time passcode (OTP).

The third type is traits. This one refers to something that verifies who the user is, such as a face scan or fingerprint. 

Different Authentication Methods

For cybersecurity, the best approach is to have multi-factor authentication or what some may know as two-factor authentication. However, only 2.3% of Twitter active users are using this method as reported in the social media company’s Account Security Report.

Among those who said they take advantage of two-factor authentication, 79.6% use SMS-based OTPs. The problem is that SMS is one of the least secure methods of authentication.

It is important to understand that not all multi-factor authentication systems are the same. Some utilize more secure methods than others. To better understand this, it is necessary to get to know some of the authentication methods often used in two-factor authentication.

• SMS-based OTPs: Having SMS-based authentication implements multi-factor authentication. However, it is seen as the least effective when it comes to preventing common cyberthreats and attacks, including SIM swap and phishing. It is also not the most convenient method.
• Authenticator Apps: The user installs an authenticator app, which continuously generates new codes to show proof that the user owns the device tied to their account. While it may be better than SMS, using authentication apps is still open to the risk of getting intercepted through phishing and advanced attacks. 
• Security Keys: These refer to physical authentication devices. The user will connect to their device through Bluetooth, NFC, or USB. The security key will serve as their proof of identity when trying to access an application or website. To ensure maximum protection, having security keys that are up to FIDO standards is the best option. 
• Biometrics: Biometrics refers to a trait unique to the authorized user. It can be a face scan or fingerprints. On-device biometrics that follows FIDO standards do not only offer convenience but also have phishing-resistant technology.

To further improve cybersecurity, organizations and service providers must offer simpler but better authentication options. Then, the next step is for them to convince their users and clients to enable two-factor authentication. 

The growth of cryptocurrency has continued despite the challenges the economy has been facing during the year. However, this welcome development in the industry has also opened the eyes of more cybercriminals.

Security Challenges and Problems

Research from Crypto.com showed global cryptocurrency adoption growing to 221 million by June 2021. That is almost double the number recorded in January 2021. 

This growth has also caught the eyes of cybercriminals. In 2020, there were 122 blockchain-related attacks recorded. These led to the theft of almost $3.78 billion.

These attacks show weaknesses when it comes to the security of cryptocurrency investment accounts. 

Generally, an interested individual sets up an account. They use passwords or another knowledge-based authentication (KBA). While these seem enough, that is far from the truth. Both authentication methods are unfit to protect high-value accounts.

Passwords can be compromised. One of the most common techniques cybercriminals use is phishing. It is when the account owner is tricked to provide personal information that the criminals can use to access the account. 

Other possible problems a user can encounter when using KBA include forgetting key information, availability of personal information on social media, and data leaks. Another way is for the criminals to buy credential pairs and personal data from the dark web.

Better Security with Multifactor Authentication

For better security, some use two-factor authentication. For example, you can have a one-time passcode sent to you through SMS. However, cybercriminals have also seen through this method. Some attackers use SIM swapping or SMS relay service to get access to the code being sent to the user.

So, instead of using KBA, it is better to have possession-based authentication. That is when login credentials are stored on the physical device the account owner uses to log in. A good example of this is a smartphone.

Many crypto exchanges are already using possession-based authentication. To ensure protection, they even adopted FIDO authentication standards.

That said, standardization of authentication protocols is only one of the things that can help solve security issues in the cryptocurrency industry. Consistency is of great importance. Additionally, having multifactor authentication will also help a lot. 

The Nok Nok Guarantee

At the forefront of passwordless authentication is Nok Nok Products. Nok Nok is one of the FIDO co-founders. It offers solutions, such as multifactor authentication, to help secure digital payments and transactions. 

Contact Nok Nok to learn more about the best cyber security solutions.

Advancements in technology have helped make day-to-day activities easier to accomplish. However, they may also pose challenges and risks. That is why, now more than ever, risk management is vital for organizations. That is especially true for those in the financial sector. Having the 3LoD (three lines of defense) model can help. However, organizations have to make sure they can keep up with the demands of the industry as a whole and cyber security.

Going Digital

New technologies are introduced to us constantly. Knowing which ones offer the most benefits to make functions and transactions more seamless is vital. 

For instance, approaches to the 3LoD model can vary depending on the needs of the company. While the traditional option is more on the functional side and is silo-based, many companies are going for different approaches. One of these is the digitized method.

The digitalization of the risk management approach helps organizations view risk functions based on their ability to drive change, generate value, and satisfy the rising expectations of customers. The main objective of the 3LoD framework, which is to protect the organization from various risks, like cyber security, remains. Central to this is trust.

That said, it is important to ensure that risk management tactics do not add friction, slow processes, or deter innovation. They must be able to add value for clients while creating trust at the same time.

Digitalization in Action

There is no denying that digital transformation is where the trend is going. It is seen in many industries. In the financial sector, there are various forms of digital transformation in different subsectors of financial services. However, perhaps the one that is gaining momentum is the banking-as-a-service (BaaS) construct.

Many fintech companies and banks have adopted innovations that will allow them to engage with their customers in deeper and more meaningful ways. Thus, transforming the way banking is done. 

For instance, traditional banks are now offering digital experience platforms. Mobile banking has increased, and new payment methods were introduced.

Addressing Needs And Cyber Security

With the COVID-19 pandemic, many regulators accelerated the shift towards asking financial service providers to identify the most important business services they offer, consider vulnerabilities broader than IT and cyber security failures, and assume possible severe systemwide threats that could lead to the failure of said services.

Risk management approaches are seen to need a more holistic approach that not only focuses on strengthening technology infrastructures and information security, but also addressing cyber security threats. At the same time, they should be able to enhance key touchpoints. For instance, they have to streamline the process to open an account. Additionally, risk intelligence should allow organizations to make quick decisions and improve their effectiveness and efficiency.

Digitalizing key risk management capabilities will not make 3LoD irrelevant. Instead, it will help strengthen it for better results.

The introduction of blockchain technology has opened doors to new opportunities. It helped make data sharing easier and secure. However, it can be vulnerable to cyber security attacks.

What It Offers

Blockchain technology was created to provide a decentralized distributed ledger that records digital assets. A single ledger gives access to thousands of connected computers and servers. With this, a user can complete transactions without the involvement of a third-party intermediary.

Here is how it works:

• A user creates a transaction using a blockchain network
• A block will then be created. It represents the creation of the transaction.
• The requested transaction will be broadcasted over the network that will validate it. The peer-to-peer network is made up of computers, which are called nodes.
• The verified transaction will be combined with other blocks. Thus, creating a new block of data for the said ledger.

There are various types of verified transactions. These include any valuable information shared in the ledger, contracts, cryptocurrency, and records.

Blockchain Technology and Cyber Security

While blockchain aims to provide a secure environment, it can still be vulnerable to attacks involving cybercriminals.

One of the most known applications of blockchain technology is cryptocurrency. The industry has been seeing growth in the past few years. However, it has also become a target of many cyberattacks.

For instance, the Poly Network platform has experienced the biggest crypto heist ever. Hackers successfully stole around $600 million in cryptocurrency from the decentralized finance (DeFi) platform. 

While the stolen funds were returned, the theft highlighted a vulnerability in the platform’s security features. 

Reducing Risks with Better Security

The Poly Network is only one incident among multiple thefts targeting blockchain. That is why cyber security is vital. Platforms must ensure proper protocols are taken to protect their users.

One form of protection is to get insurance. In the crypto industry, some insurance providers offer coverage for asset owners. That said, insurance comes with limitations. Aside from availability issues, there is a lack of legal and regulatory clarity in the insurance of crypto assets. Some platforms also conduct stability initiatives to strengthen their customer protection systems. 

Three steps can help with this. 

First, there is a need for better regulation, especially when an entity reaches a certain size. 

Second, developers should take extra caution. For instance, they can get audits for every project. 

Third, users should practice self-protection. This step is crucial. After all, many hacks and scams succeed due to the vulnerability of the users to attackers.

Do you want to stay updated on cyber security and authentication solutions? Subscribe to Nok Nok now.