Fintech essentially runs mostly on cloud & mobile platforms to reach out a wide range of customers. Recently, I was asked to create a technical solution for authentication for cloud+mobile fintech solution for SMB market.
User authentication is a key security feature for this fintech platform. It is therefore important to document the key points in identifying key requirements and factors that drive the final solution.
Requirements has to be identified from Strategic, Business user requirements & IT Operations requirements.
On a side note, I had blogged on the need for Multi Factor Authentication as a Service in December 2011, and many of the points I had noted in that blog is very relevant for Fintech services.
Strategic Requirements
From a Fintech point of view, the top priority for Authentication system must meet security requirements - i.e., Reduce the risk of Breach. Cost of a security breach is much bigger than the immediate financial losses. The legal implications and loss of customer trust can be a business killer.
Second most important Strategic requirements is to lower costs. The main benefit of fintech is that it offers lower costs for financial transactions, while speeding up the rate of transactions. So cost of authentication is very critical for the business plan. The low cost becomes very imperative when we consider IoT, robotics & automation systems will also use the same authentication system. This implies the authentication system must be able to scale to support very very large number of users.
Today Fintech solutions should disrupt existing financial process and this disruption is achieved by accelerating the rate of financial transactions. This forms the third strategic requirement for authentication systems. The solution must accelerate digital transformation.
In the automation or intelligent software space, robotic process automation tools, automation tools, and cognitive computing solutions create change inside organizations.
The three strategic requirements can be summarized in on sentence: Provide a low cost authentication system which is safe, secure, user friendly solution that can be used on multiple devices by users anywhere in the world.
In a nutshell, the authentication system must allow users to securely, from anywhere, on any device they happen to use and over any type of network.
Existing Solutions & Legacy solutions
Having worked in EMC and used RSA's SecureID authentication system, I know the pro's and con's of legacy systems.
I remember the days when CFOs would carry around a box full of secureID fobs - one each for each bank accounts and then dealing with the headache of tracking which secureID token for which account.
Legacy authentication systems works with traditional bank IT systems, and these are proven solutions. But in the new world of Fintech, these legacy systems are no longer useful. The legacy systems are expensive, slow & cumbersome to use and slows down the rate of transactions.
Legacy two factor authentication solutions have their limitations: Poor user experience - with hardware tokens/fobs, additional passcodes & signin steps. Moreover the legacy systems are also expensive to buy and operate. Not counting the complexity in deploying, maintaining and administering the solution.
If Fintech were to truly disrupt existing workflows, we need to look beyond the standard Two-Factor-Authentication systems - which uses Smart tokens, smartcard or hard tokens.
Fintech requires more secure and yet easy to use authentication solutions. The solution has to be highly scalable and yet allow higher rates of transactions.
Today, Fintech solutions need to know more than just the two proofs of identity for access the system. Fintech solutions needs to know the context & geo-location information in addition to password and a dynamic password.
In a nutshell, legacy two-factor authentication system does not work for Fintech. While we will still need a two factor authentication, the system must be go beyond the passwords/keys, and also understand the user context and risks/vunerabilities.
Next Generation Authentication System
Fintech services will need a cloud based authentication system - which offers Authentication-as-a-Service model but it also needs to meet some of the following requirements.
From Fintech point of view, there are three main requirements categories.
1. Business Requirements
2. IT Requirements
3. User Requirements
Business Requirements
Fintech solutions need stringent security requirements that can meet new threats and opportunities. Fintech solutions will have to federate between multiple applications and services across the ecosystem of customers & partners.
From a business point of view, the cloud based authentication system must meet or exceed industry standards - Oauth 2.0, OpenID Connect 1. 0, SAML & FIDO. Support for open identity authentication standards ensures these requirements are met. Meeting industry standards will allow businesses to leverage their investments, integrate with legacy systems, external data sources and third-party cloud applications.
A cloud based authentication system allows easy, frictionless experience which users expect. Cloud based systems also provide easy interop with third party systems/domains - which allows your company to operate smarter, create value and strengthen competitive advantage. The cloud based system should also scale to meet requirements as the business grows.
For a Fintech cost of solution must be very low. As mentioned earlier, legacy hardware token based systems are too expensive. One-time-passcodes (OTP) pushed over SMS can also generate quite a high costs over a period of time, and NIST recommends against using out-of-band authentication system using SMS.
It is important to allow customers to login even when they are offline or on unreliable networks. This implies that the authentication system must have the intelligence to know the context of the user and choose the right authentication methods.
Contextual and Risk-based Authentication is the key to lower costs while improving customer experience. Authentication system must know the geo-location, time of the day, IP Adderesses, Device identifiers to ascertain the risks of unauthorized logins and then implement adequate security policies to prevent security breaches.
In short, an intelligent context based authentication should provide a strong, adaptive authentication.
For example, For a regular user, if there was a authentication attempt was done from a country out of the region from the last known geolocation, then the system must trigger other authentication/validation processes.
IT Requirements
IT systems which manages & operates the authentication system is the key to ensure customer satisfaction and accelerate digital transformation of Financial services - which is the core value of Fintech solutions.
Fintech customers/users should be able to use any device, from any location to get their work done. This implies that traditional mobile device management solutions (MDM) and VPN technologies will not work as the solutions are too rigid and does not scale rapidly.
A cloud based authentication system - which can be centrally administered will be needed. The an intelligent context based authentication would provide a strong, adaptive authentication to users & partners, while providing adequate security to allow both managed and unmanaged mobile devices which are used. Giving users access to the information and insights they need, when and where they need it, allows your company to operate smarter, create value and strengthen competitive advantage.
IT plays a very important role in management & administration of user authentication system. Web-based administrative access and policy/role based entitlements is a must to automate new user additions.
IT administration functions must be automated to the maximum, and allow self-service where ever feasible. The authentication system must ensure that IT administrators can intervene using administrative bypass codes to help customers/partners when needed - such as a customer escalation or when administrative intervention is needed.
Authentication systems must also provide varied levels of trust, varied levels of access and permissions. Support for role based access and web based access for IT administrators is important to address customer issues.
In Fintech world, partners are the key for success. Authentication system should work with partners - to increase efficiency and add greater value. Authentication system should enable strong authentication service to partners through traditional VPN systems or modern cloud services.
User Requirements
Users form the basis for Fintech services. Without users, there is no business. Therefore user requirements are very critical.
Today, customers user a wide variety of devices - Mobiles, tablets, laptops - running iOS, Android, Windows, Linux etc. The web based authentication must support heterogeneous environments and keep up support to newer platforms. Web based authentication system must allow users to authenticate over multiple devices - and even when they don't have their primary devices. For example, user should be able to borrow a smart phone to make a payment from his account.
In today's Fintech world, Authentication system must work on a global scale as well and support multiple languages and locale settings. The authentication system will have to be resilient security to overcome any denial of service attacks and other hacks
Today Customers are accustomed to self-services. Self-service enrollment and registration mechanisms lighten the IT team's administrative load and accelerate user adoption. Offer multiple fault escalation processes to enable authentication when a user cannot authenticate under their normal process.
Closing Thoughts
Fintech will bring in a new wave of digital transformation. For Fintech to succeed, it is important to provide secure access through any device on any network. Customers expect frictionless access to on-premises and cloud apps from any device, anywhere and at any time.
Modern authentication system must have intelligence to understand the context and risks and determine authentication processes accordingly. Modern authentication system must provide a low cost, scalable solution, giving users the access they need and the seamless, on-demand service they expect.
Foot Note:
OAuth 2.0
OAuth 2.0 is the industry-leading standard for enabling access to APIs. Simply put, OAuth 2.0 is a standard framework that allows an application to securely access resources on behalf of users without requiring their passwords. This open authorization also lets the user understand what kinds of access and information the application is requesting, and then provide consent.
OpenID Connect 1.0
OpenID Connect adds an identity layer to OAuth 2.0 and simplifies existing federation specifications. It enables identity federation as well as delegated authorization and includes other capabilities to enhance dynamic interoperability.
SAML
Security Assertion Markup Language (SAML) is an open XML standard for exchanging authentication and authorization data between an identity provider and a service provider. SAML allows businesses to safely share identity information across domains. The process is often called federation.
FIDO
Fast Identity Online (FIDO) defines a set of technology-agnostic specifications for strong authentication. FIDO was designed to reduce reliance on hard-to-remember passwords to authenticate users and address the lack of interoperability among strong authentication devices.
User authentication is a key security feature for this fintech platform. It is therefore important to document the key points in identifying key requirements and factors that drive the final solution.
Requirements has to be identified from Strategic, Business user requirements & IT Operations requirements.
On a side note, I had blogged on the need for Multi Factor Authentication as a Service in December 2011, and many of the points I had noted in that blog is very relevant for Fintech services.
Strategic Requirements
From a Fintech point of view, the top priority for Authentication system must meet security requirements - i.e., Reduce the risk of Breach. Cost of a security breach is much bigger than the immediate financial losses. The legal implications and loss of customer trust can be a business killer.
Second most important Strategic requirements is to lower costs. The main benefit of fintech is that it offers lower costs for financial transactions, while speeding up the rate of transactions. So cost of authentication is very critical for the business plan. The low cost becomes very imperative when we consider IoT, robotics & automation systems will also use the same authentication system. This implies the authentication system must be able to scale to support very very large number of users.
Today Fintech solutions should disrupt existing financial process and this disruption is achieved by accelerating the rate of financial transactions. This forms the third strategic requirement for authentication systems. The solution must accelerate digital transformation.
In the automation or intelligent software space, robotic process automation tools, automation tools, and cognitive computing solutions create change inside organizations.
The three strategic requirements can be summarized in on sentence: Provide a low cost authentication system which is safe, secure, user friendly solution that can be used on multiple devices by users anywhere in the world.
In a nutshell, the authentication system must allow users to securely, from anywhere, on any device they happen to use and over any type of network.
Existing Solutions & Legacy solutions
Having worked in EMC and used RSA's SecureID authentication system, I know the pro's and con's of legacy systems.
I remember the days when CFOs would carry around a box full of secureID fobs - one each for each bank accounts and then dealing with the headache of tracking which secureID token for which account.
Legacy authentication systems works with traditional bank IT systems, and these are proven solutions. But in the new world of Fintech, these legacy systems are no longer useful. The legacy systems are expensive, slow & cumbersome to use and slows down the rate of transactions.
Legacy two factor authentication solutions have their limitations: Poor user experience - with hardware tokens/fobs, additional passcodes & signin steps. Moreover the legacy systems are also expensive to buy and operate. Not counting the complexity in deploying, maintaining and administering the solution.
If Fintech were to truly disrupt existing workflows, we need to look beyond the standard Two-Factor-Authentication systems - which uses Smart tokens, smartcard or hard tokens.
Fintech requires more secure and yet easy to use authentication solutions. The solution has to be highly scalable and yet allow higher rates of transactions.
Today, Fintech solutions need to know more than just the two proofs of identity for access the system. Fintech solutions needs to know the context & geo-location information in addition to password and a dynamic password.
In a nutshell, legacy two-factor authentication system does not work for Fintech. While we will still need a two factor authentication, the system must be go beyond the passwords/keys, and also understand the user context and risks/vunerabilities.
Next Generation Authentication System
Fintech services will need a cloud based authentication system - which offers Authentication-as-a-Service model but it also needs to meet some of the following requirements.
From Fintech point of view, there are three main requirements categories.
1. Business Requirements
2. IT Requirements
3. User Requirements
Business Requirements
Fintech solutions need stringent security requirements that can meet new threats and opportunities. Fintech solutions will have to federate between multiple applications and services across the ecosystem of customers & partners.
From a business point of view, the cloud based authentication system must meet or exceed industry standards - Oauth 2.0, OpenID Connect 1. 0, SAML & FIDO. Support for open identity authentication standards ensures these requirements are met. Meeting industry standards will allow businesses to leverage their investments, integrate with legacy systems, external data sources and third-party cloud applications.
A cloud based authentication system allows easy, frictionless experience which users expect. Cloud based systems also provide easy interop with third party systems/domains - which allows your company to operate smarter, create value and strengthen competitive advantage. The cloud based system should also scale to meet requirements as the business grows.
For a Fintech cost of solution must be very low. As mentioned earlier, legacy hardware token based systems are too expensive. One-time-passcodes (OTP) pushed over SMS can also generate quite a high costs over a period of time, and NIST recommends against using out-of-band authentication system using SMS.
It is important to allow customers to login even when they are offline or on unreliable networks. This implies that the authentication system must have the intelligence to know the context of the user and choose the right authentication methods.
Contextual and Risk-based Authentication is the key to lower costs while improving customer experience. Authentication system must know the geo-location, time of the day, IP Adderesses, Device identifiers to ascertain the risks of unauthorized logins and then implement adequate security policies to prevent security breaches.
In short, an intelligent context based authentication should provide a strong, adaptive authentication.
For example, For a regular user, if there was a authentication attempt was done from a country out of the region from the last known geolocation, then the system must trigger other authentication/validation processes.
IT Requirements
IT systems which manages & operates the authentication system is the key to ensure customer satisfaction and accelerate digital transformation of Financial services - which is the core value of Fintech solutions.
Fintech customers/users should be able to use any device, from any location to get their work done. This implies that traditional mobile device management solutions (MDM) and VPN technologies will not work as the solutions are too rigid and does not scale rapidly.
A cloud based authentication system - which can be centrally administered will be needed. The an intelligent context based authentication would provide a strong, adaptive authentication to users & partners, while providing adequate security to allow both managed and unmanaged mobile devices which are used. Giving users access to the information and insights they need, when and where they need it, allows your company to operate smarter, create value and strengthen competitive advantage.
IT plays a very important role in management & administration of user authentication system. Web-based administrative access and policy/role based entitlements is a must to automate new user additions.
IT administration functions must be automated to the maximum, and allow self-service where ever feasible. The authentication system must ensure that IT administrators can intervene using administrative bypass codes to help customers/partners when needed - such as a customer escalation or when administrative intervention is needed.
Authentication systems must also provide varied levels of trust, varied levels of access and permissions. Support for role based access and web based access for IT administrators is important to address customer issues.
In Fintech world, partners are the key for success. Authentication system should work with partners - to increase efficiency and add greater value. Authentication system should enable strong authentication service to partners through traditional VPN systems or modern cloud services.
User Requirements
Users form the basis for Fintech services. Without users, there is no business. Therefore user requirements are very critical.
Today, customers user a wide variety of devices - Mobiles, tablets, laptops - running iOS, Android, Windows, Linux etc. The web based authentication must support heterogeneous environments and keep up support to newer platforms. Web based authentication system must allow users to authenticate over multiple devices - and even when they don't have their primary devices. For example, user should be able to borrow a smart phone to make a payment from his account.
In today's Fintech world, Authentication system must work on a global scale as well and support multiple languages and locale settings. The authentication system will have to be resilient security to overcome any denial of service attacks and other hacks
Today Customers are accustomed to self-services. Self-service enrollment and registration mechanisms lighten the IT team's administrative load and accelerate user adoption. Offer multiple fault escalation processes to enable authentication when a user cannot authenticate under their normal process.
Closing Thoughts
Fintech will bring in a new wave of digital transformation. For Fintech to succeed, it is important to provide secure access through any device on any network. Customers expect frictionless access to on-premises and cloud apps from any device, anywhere and at any time.
Modern authentication system must have intelligence to understand the context and risks and determine authentication processes accordingly. Modern authentication system must provide a low cost, scalable solution, giving users the access they need and the seamless, on-demand service they expect.
Foot Note:
OAuth 2.0
OAuth 2.0 is the industry-leading standard for enabling access to APIs. Simply put, OAuth 2.0 is a standard framework that allows an application to securely access resources on behalf of users without requiring their passwords. This open authorization also lets the user understand what kinds of access and information the application is requesting, and then provide consent.
OpenID Connect 1.0
OpenID Connect adds an identity layer to OAuth 2.0 and simplifies existing federation specifications. It enables identity federation as well as delegated authorization and includes other capabilities to enhance dynamic interoperability.
SAML
Security Assertion Markup Language (SAML) is an open XML standard for exchanging authentication and authorization data between an identity provider and a service provider. SAML allows businesses to safely share identity information across domains. The process is often called federation.
FIDO
Fast Identity Online (FIDO) defines a set of technology-agnostic specifications for strong authentication. FIDO was designed to reduce reliance on hard-to-remember passwords to authenticate users and address the lack of interoperability among strong authentication devices.