Passkeys for Banking in the US

Passkeys for Banking: A Comprehensive Guide for U.S. Bankers

There’s a notable shift toward adopting Multi-Factor Authentication (MFA) driven by regulatory guidelines in the U.S. banking cybersecurity domain. The Federal Trade Commission (FTC) has updated the Gramm-Leach Bliley Safeguard’s Rule, making it mandatory for financial institutions to implement MFA for both their internal and external users. Simultaneously, the New York Department of Financial Services (NYDFS) has been enforcing MFA since 2017 and is now proposing further amendments to its Cybersecurity Rule to expand MFA requirements. The Cybersecurity and Infrastructure Security Agency (CISA) has provided guidance highlighting potential vulnerabilities in some MFA methods, advocating for phishing-resistant standards. Given this regulatory environment, U.S. banks are presented with a clear choice: integrate advanced MFA solutions, such as passkeys (developed by the FIDO Alliance), to ensure compliance and maintain a competitive edge, or potentially face challenges.

Understanding Passkeys

Passkeys, as endorsed by the FIDO (Fast IDentity Online) Alliance, represent a shift from traditional password-based to passwordless authentication. Instead of relying solely on something you know (like a password), FIDO’s approach emphasizes the use of local authentication, where user verification happens on the device itself. This can be achieved through something you have (a physical security key or a registered device) or something you are (biometric data like fingerprints or facial recognition). The key advantage of passkeys is that they are resistant to phishing and replay attacks, as the authentication credentials are never exposed or stored centrally.

The Role of the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance is not just any industry consortium; it’s a powerful collective of some of the world’s leading brands, including a significant banking and financial sector representation. This alliance is a testament to the global push towards more secure and user-friendly authentication methods. Among its members are top-tier U.S. banking and financial institutions such as Bank of America, JPMorgan Chase, Wells Fargo, and American Express. These institutions, recognizing the vulnerabilities and inefficiencies of password-based systems, have joined forces with tech giants and other industry players under the FIDO Alliance to drive the standardization and adoption of more robust authentication protocols. Their collaborative efforts have culminated in the development of the FIDO authentication standard, which has further evolved into passkey authentication. For a deeper dive into the world of Passkeys, we recommend visiting this article titled Passkeys: Quick & Easy Guide to Passwordless Authentication.

Why Secure and User-Friendly Authentication Matters

For banking customers, security and ease of use are paramount. In the fiercely competitive banking landscape, where differentiation is challenging, offering enhanced features becomes a game-changer. Banks can carve out a unique position by providing easy-to-use and phishing-proof authentication, offering a value proposition beyond traditional banking services. A consistent user experience across all communication channels enhances the overall user experience and bolsters online security. When customers can seamlessly and securely access their accounts through a mobile app, web portal, or even an in-branch kiosk, their trust in the bank solidifies. Moreover, this approach not only elevates the customer experience but also ensures that banks are in compliance with industry regulations, striking a balance between innovation and adherence to standards.

FIDO: The Unparalleled Gold Standard of Online Authentication

FIDO doesn’t just stand out among the vast landscape of authentication standards—it towers above the rest. It’s not merely another method in the ever-evolving world of cybersecurity; it’s the culmination of extensive research, investment, and collaboration by hundreds of global organizations. These aren’t just any organizations; they are titans in their respective industries, from tech behemoths to leading financial institutions, all of whom have poured significant time, money, and resources into the development of the FIDO standard. Their collective backing sends a clear message: FIDO isn’t a fleeting trend or a temporary solution. It’s the future of online authentication. The fact that it’s phishing-proof underscores its robustness. With FIDO, even if malicious actors manage to intercept user credentials, the intricate, multi-layered security of passkeys ensures they’re left with unusable data. In the vast sea of online security measures, nothing on the horizon comes close to the promise and potential of FIDO. It’s not just the next step in authentication; it’s the definitive one.

Challenges in Implementing New Authentication Technologies

Large, diverse organizations like banks often grapple with the challenge of integrating new technologies. Different user-facing applications, built on varied technological platforms, necessitate distinct coding stacks for upgrades. This complexity can delay the rollout of new authentication methods, leaving security gaps. Historical examples abound of failed technology projects due to overcomplexity. For instance, in the early 2000s, many organizations attempted to overhaul their entire IT infrastructure in one go, leading to projects that ran over budget, missed deadlines, and ultimately were abandoned. Another example can be seen in the healthcare sector, where attempts to integrate disparate patient record systems without a unified approach led to data mismatches and compromised patient care. In the banking sector, there have been instances where attempts to merge legacy systems with modern platforms resulted in significant downtime, affecting customer transactions and trust. Therefore, the ability to introduce new authentication technology without altering the existing technology stack is not just a convenience—it’s crucial. It ensures that introducing new security measures is seamless and efficient and doesn’t disrupt the ongoing operations or compromise the existing infrastructure.

Revolutionizing MFA Implementation: The BNP Paribas Success Story

Secfense offers a unique approach to this challenge, emphasizing a “no-code” methodology. This approach is especially beneficial for large institutions with many applications running on diverse platforms. The significance of a no-code implementation becomes evident when we delve into real-world case studies. BNP Paribas, a global banking leader, provides a compelling example. By adopting Secfense’s User Access Security Broker, BNP Paribas achieved remarkable results:

• They expanded MFA to 43% more applications than initially planned.
• A staggering 82% reduced the engagement of IT specialists.
• The bank realized savings of $778,000 compared to the traditional MFA implementation approach.
• They could leverage all the MFA methods they already used, ensuring 100% utilization.
• Software developer engagement was entirely eliminated and reduced by 100%.
• The overall cost of implementation was slashed by 87%.

With Secfense, U.S. banks can now seamlessly introduce FIDO & passkeys across all channels and customer access points. This ensures a phishing-proof security framework for end customers, an enhanced user experience due to the usability of passkeys, and a smooth transition for customers adapting to these new authentication methods.

Experience the Future of Banking Security: Dive into Our Proof of Value Offering

To truly appreciate the transformative power of this approach, we invite institutions to experience a Proof of Value (POV). This hands-on experience provides comprehensive multi-factor authentication protection for one of your applications, equips users with a chosen MFA method, introduces microauthentications for added security, and offers full-site protection akin to VPN functionalities. All we ask in return is the dedication of one specialist for a mere 10 hours over a week and honest feedback post-POV. Dive into this opportunity and ensure your bank remains compliant, secure, and always customer-centric.