Tuesday, February 28, 2017

Why Fintech needs Modern Authentication systems?

Fintech essentially runs mostly on cloud & mobile platforms to reach out a wide range of customers. Recently, I was asked to create a technical solution for authentication for cloud+mobile fintech solution for SMB market.

User authentication is a key security feature for this fintech platform. It is therefore important to document the key points in identifying key requirements and factors that drive the final solution.

Requirements has to be identified from Strategic, Business user requirements & IT Operations requirements.

On a side note, I had blogged on the need for Multi Factor Authentication as a Service in December 2011, and many of the points I had noted in that blog is very relevant for Fintech services.

Strategic Requirements

From a Fintech point of view, the top priority for Authentication system must meet security requirements - i.e., Reduce the risk of Breach. Cost of a security breach is much bigger than the immediate financial losses. The legal implications and loss of customer trust can be a business killer.

Second most important Strategic requirements is to lower costs. The main benefit of fintech is that it offers lower costs for financial transactions, while speeding up the rate of transactions. So cost of authentication is very critical for the business plan. The low cost becomes very imperative when we consider IoT, robotics & automation systems will also use the same authentication system. This implies the authentication system must be able to scale to support very very large number of users.

Today Fintech solutions should disrupt existing financial process and this disruption is achieved by accelerating the rate of financial transactions. This forms the third strategic requirement for authentication systems. The solution must accelerate digital transformation.

In the automation or intelligent software space, robotic process automation tools, automation tools, and cognitive computing solutions create change inside organizations.

The three strategic requirements can be summarized in on sentence: Provide a low cost authentication system which is safe, secure, user friendly solution that can be used on multiple devices by users anywhere in the world.

In a nutshell, the authentication system must allow users to securely, from anywhere, on any device they happen to use and over any type of network.

Existing Solutions & Legacy solutions

Having worked in EMC and used RSA's SecureID authentication system, I know the pro's and con's of legacy systems.

I remember the days when CFOs would carry around a box full of secureID fobs - one each for each bank accounts and then dealing with the headache of tracking which secureID token for which account.

Legacy authentication systems works with traditional bank IT systems, and these are proven solutions. But in the new world of Fintech, these legacy systems are no longer useful. The legacy systems are expensive, slow & cumbersome to use and slows down the rate of transactions.

Legacy two factor authentication solutions have their limitations: Poor user experience - with hardware tokens/fobs, additional passcodes & signin steps. Moreover the legacy systems are also expensive to buy and operate. Not counting the complexity in deploying, maintaining and administering the solution.

If Fintech were to truly disrupt existing workflows, we need to look beyond the standard Two-Factor-Authentication systems - which uses Smart tokens, smartcard or hard tokens.

Fintech requires more secure and yet easy to use authentication solutions. The solution has to be highly scalable and yet allow higher rates of transactions.

Today, Fintech solutions need to know more than just the two proofs of identity for access the system. Fintech solutions needs to know the context & geo-location information in addition to password and a dynamic password.

In a nutshell, legacy two-factor authentication system does not work for Fintech. While we will still need a two factor authentication, the system must be go beyond the passwords/keys, and also understand the user context and risks/vunerabilities.

Next Generation Authentication System

Fintech services will need a cloud based authentication system - which offers Authentication-as-a-Service model but it also needs to meet some of the following requirements.
From Fintech point of view, there are three main requirements categories.

1. Business Requirements
2. IT Requirements
3. User Requirements

Business Requirements 

Fintech solutions need stringent security requirements that can meet new threats and opportunities. Fintech solutions will have to federate between multiple applications and services across the ecosystem of customers & partners.

From a business point of view, the cloud based authentication system must meet or exceed industry standards - Oauth 2.0, OpenID Connect 1. 0, SAML & FIDO. Support for open identity authentication standards ensures these requirements are met. Meeting industry standards will allow businesses to leverage their investments, integrate with legacy systems, external data sources and third-party cloud applications.

A cloud based authentication system allows easy, frictionless experience which users expect. Cloud based systems also provide easy interop with third party systems/domains - which allows your company to operate smarter, create value and strengthen competitive advantage. The cloud based system should also scale to meet requirements as the business grows.

For a Fintech cost of solution must be very low. As mentioned earlier, legacy hardware token based systems are too expensive. One-time-passcodes (OTP) pushed over SMS can also generate quite a high costs over a period of time, and NIST recommends against using out-of-band authentication system using SMS.

It is important to allow customers to login even when they are offline or on unreliable networks. This implies that the authentication system must have the intelligence to know the context of the user and choose the right authentication methods.

Contextual and Risk-based Authentication is the key to lower costs while improving customer experience. Authentication system must know the geo-location, time of the day, IP Adderesses, Device identifiers to ascertain the risks of unauthorized logins and then implement adequate security policies to prevent security breaches.

In short, an intelligent context based authentication should provide a strong, adaptive authentication.

For example, For a regular user, if there was a authentication attempt was done from a country out of the region from the last known geolocation, then the system must trigger other authentication/validation processes.

IT Requirements

IT systems which manages & operates the authentication system is the key to ensure customer satisfaction and accelerate digital transformation of Financial services - which is the core value of Fintech solutions.

Fintech customers/users should be able to use any device, from any location to get their work done. This implies that traditional mobile device management solutions (MDM) and VPN technologies will not work as the solutions are too rigid and does not scale rapidly.

A cloud based authentication system - which can be centrally administered will be needed. The an intelligent context based authentication would provide a strong, adaptive authentication to users & partners, while providing adequate security to allow both managed and unmanaged mobile devices which are used.  Giving users access to the information and insights they need, when and where they need it, allows your company to operate smarter, create value and strengthen competitive advantage.

IT plays a very important role in management & administration of user authentication system. Web-based administrative access and policy/role based entitlements is a must to automate new user additions.

IT administration functions must be automated to the maximum, and allow self-service where ever feasible. The authentication system must ensure that IT administrators can intervene using administrative bypass codes to help customers/partners when needed - such as a customer escalation or when administrative intervention is needed.

Authentication systems must also provide varied levels of trust, varied levels of access and permissions. Support for role based access and web based access for IT administrators is important to address customer issues.

In Fintech world,  partners are the key for success. Authentication system should work with partners - to increase efficiency and add greater value. Authentication system should enable strong authentication service to partners through traditional VPN systems or modern cloud services.

User Requirements

Users form the basis for Fintech services. Without users, there is no business. Therefore user requirements are very critical.

Today, customers user a wide variety of devices - Mobiles, tablets, laptops - running iOS, Android, Windows, Linux etc. The web based authentication must support heterogeneous environments and keep up support to newer platforms. Web based authentication system must allow users to authenticate over multiple devices - and even when they don't have their primary devices. For example, user should be able to borrow a smart phone to make a payment from his account.

In today's Fintech world, Authentication system must work on a global scale as well and support multiple languages and locale settings. The authentication system will have to be resilient security to overcome any denial of service attacks and other hacks

Today Customers are accustomed to self-services. Self-service enrollment and registration mechanisms lighten the IT team's administrative load and accelerate user adoption. Offer multiple fault escalation processes to enable authentication when a user cannot authenticate under their normal process.

Closing Thoughts 

Fintech will bring in a new wave of digital transformation. For Fintech to succeed, it is important to provide secure access through any device on any network. Customers expect frictionless access to on-premises and cloud apps from any device, anywhere and at any time.

Modern authentication system must have intelligence to understand the context and risks and determine authentication processes accordingly. Modern authentication system must provide a low cost, scalable solution, giving users the access they need and the seamless, on-demand service they expect.

Foot Note:

OAuth 2.0
OAuth 2.0 is the industry-leading standard for enabling access to APIs. Simply put, OAuth 2.0 is a standard framework that allows an application to securely access resources on behalf of users without requiring their passwords. This open authorization also lets the user understand what kinds of access and information the application is requesting, and then provide consent.

OpenID Connect 1.0
OpenID Connect adds an identity layer to OAuth 2.0 and simplifies existing federation specifications. It enables identity federation as well as delegated authorization and includes other capabilities to enhance dynamic interoperability.

Security Assertion Markup Language (SAML) is an open XML standard for exchanging authentication and authorization data between an identity provider and a service provider. SAML allows businesses to safely share identity information across domains. The process is often called federation.

Fast Identity Online (FIDO) defines a set of technology-agnostic specifications for strong authentication. FIDO was designed to reduce reliance on hard-to-remember passwords to authenticate users and address the lack of interoperability among strong authentication devices.

Monday, February 27, 2017

Building More Effective Mobile Apps with Micro apps

This article was co-authored with Saraswathi Ramachandra

Enterprise Mobile Apps have been proliferating at rapid rate. As a result, every employee today has about 40 apps, of which about 8-12 are enterprise apps.

Recent studies have shown that increasing the number of enterprise apps does not help improve employee productivity either, and employees tend to limit the number of mobile apps on their device.

In order to make mobile apps more effective and improve employee productivity, it is important to switch from mobile apps to micro apps.

Challenge with current Mobile Apps

Most enterprises have invested heavily in full featured mobile apps that mirror the functionality of desktop enterprise software. This in turn has led to a complex interface with a wide range of menu options, only to confuse the employees/users who will eventually ditch these mobile apps.

A common mistake in mobile app development is to create apps that aim to do it all. Many mobile apps are simply condensed versions of existing websites, desktop applications, or online services that are designed to perform all the same functions as their larger counterparts.

As a result, companies end up with hard-to-use, slow-to-load apps that sacrifice efficiency for unnecessary functionality.

Alternatively, micro apps offer a more consumer-oriented experience than your typical enterprise
mobile app, delivering highly targeted functionality that lets users perform a few simple tasks quickly.

What is a micro app? 

A Micro App is a collection of functions, functions that provide highly focused, task-based applications delivering highly targeted functionality. These micro apps are bundled into one mobile app such that single mobile app provide all related functions through micro apps.

For example, consider Personal Banking Mobile App. The personal banking mobile app contains several micro apps such as: "Get Current Balance", "Show Last N Transactions", "Reset ATM pin", "My monthly spend Report",  "Add Money", "Transfer Money", etc.

Dividing the app into micro apps allows customer to focus on the task at hand easily and avoid unnecessary navigation steps.

From App development perspective, each micro app can be developed independent of other micro apps, and each micro app can be updated independently. This de-coupling of application function makes it easier for the bank to upgrade and maintain the mobile app, while giving customers the plethora of task based functions. Customers can arrange these micro apps in any order of choice - which allows easy interactions and maximizes customer satisfaction.

The micro apps are built on three core principles:

1. Focused on task-specific functions
2. Build/maintain micro apps independent of other micro apps
3. Provide users the ability to perform tasks they need, i.,e Offer quick get-in-and-out capabilities

Micro Apps Architecture is essentially a framework solution - which acts as a container for micro apps. The main mobile app provides all the common services which will be used by the micro apps, and decouples the function of the micro app from the basic house keeping functions.

Benefits of Micro Apps   

The main benefit of micro apps is to provide users a more effective and productive use of mobile apps. It also offers the ease of building/maintaining new task based functions - which is independent of other micro apps.

The main benefits of Micro Apps are:

  1. Ability to provide easy, quick to use mobile apps, which makes users love & use these apps. Micro apps provide a simple one click access to information and functions needed by them. Micro apps provide a single view of multiple systems, which are bundled together based on a common business workflows or business functions.
  2. Provide personalized user experience. Users can customize the micro apps in ways to make it more easy & useful for them, minimize clutter of too much apps - by delivering a single window of all related apps.
  3. Allow agile, rapid and parallel app development - which is tailored to the mobile platform. Enterprises often tend to take an existing web app or PC app and convert it into a mobile app - which often creates a complex, confusing mobile app. Development & maintenance of complex monolith mobile apps is expensive and takes too much time to do even simple updates.
  4. Micro apps can also provide feedback on app usage. This data also can be used to know how, where & when apps are being used. This data can be analyzed by app developers - which helps them build better apps.
  5. Micro Apps can be built on legacy systems. Each of the services offered by legacy systems can be converted into individual micro app and thus make legacy systems more useful and build on existing investments.
  6. Speed up business process by providing data/reports on demand which allows employees/users make faster decisions. Provide ways to automate business workflows via mobile platforms. Micro apps provide information on demand and complete tasks on their mobiles. 


Today, enterprises cannot afford to keep developing mobile apps which go unused by employees. It is critical to build apps which are  easy to use, easy to build and easy to maintain - so that employees love to use them often - thus speed up business process and improve overall organizational efficiency.

Micros apps help organization build highly targeted apps that give employees task-based functionality and quick access to the important information they need. Micro apps are a flexible and cost-effective IT solutions that can be developed & maintained in agile way so that new functions can be added quickly and allows users to choose the functions they need to use.

Foot Note:

Google Alerts can be used as an example of micro apps - which is customizable by users.