Why Aren't Regulators Fixing MFA Security Standards?
- James Stickland , CEO at Veridium
- 01.08.2018 08:45 am undisclosed
The use of biometric identifications systems in the financial sector is mushrooming as banks, credit card companies, and other institutions adopt them to improve security. Whilst regulations, like the EU’s Payment Services Directive (PSD2) and new ones from The New York State Department of Financial Services (NYDFS), are spurring this by requiring multi-factor authentication (MFA).
However, regulators haven’t said anything about what constitutes acceptable performance, standardizing data formats, or even set deadlines for this to be done by. NYDFS, for example, requires MFA, but doesn’t mandate a specific NIST Authenticator Assurance Level as defined in NIST’s Digital Identity Guidelines. The result is a hodge-podge that, in some cases, appears to provide greater security without truly doing so.
Research by Mastercard says the number of online transactions requiring cardholder authentication to increase from roughly one or two percent today to as many as 25 percent next autumn. This is due in part to consumers having easy access to biometric ID services via smartphones and tablets. The payments company is adding to the surge in biometrics. It has set next April as the deadline for its customers being able to use biometrics, including fingerprint and facial recognition. Of course, this means any banks accepting Mastercard payments will have to support these identification mechanisms, as well as PINs and passwords.
In the US, the FTC has recommended best practices for companies using facial recognition technology, but stopped short of creating rules or laws for biometrics. Likewise, neither the Securities and Exchange Commission, the Office of the Comptroller of the Currency, nor The Federal Reserve have issued any regulations on the topic.
It’s not like they’re not aware this is happening. From The Fed’s 2016 Mobile Banking Report: “Retail mobile banking is ubiquitous at U.S. financial institutions: 89 percent of [those] respondents currently offer mobile banking services to consumers; and 97 percent will offer these service by 2018.” The report also found security to be a top concern around this because of “the consumer’s lack of protective behavior. In response, financial institutions have implemented a range of mitigation controls – more than 80 percent support inactivity timeouts and multi-factor authentication, as well as mobile alerts – to enhance security and help change consumer behavior.”
With the size of the change that’s underway why aren’t regulators moving to protect both consumers and institutions by setting standards?
It may be a technological generation-gap issue. A survey by researchers from Oxford University and Mastercard found “only 36 percent of [financial industry executives] are familiar with biometrics, compared to 88 percent of them that would be involved in their deployment. These gaps inhibit adoption of biometrics, as they prevent effective communication and collaboration among different entities involved in the process of deployment.”
That same lack of familiarity is likely a reason for regulators’ hesitancy as well. Impulsivity is not a trait usually found in bank regulators. Likewise – and reasonably – it is a profession that doesn’t lend itself to people who want to be on the leading edge of technologies. “Tried and true” is a good approach when you’re responsible for ensuring the stability of banks and entire financial systems. Whilst there is no demographic study of bank examiners, The Bureau of Labor Statistics says the job calls for “long-term on-the-job training.”
The lack of knowledge about biometrics may be why requirements for using MFA don’t go beyond specifying that factors used should be something you know (passwords, mother’s maiden name, etc.), something you have (passkeys, a card, token, etc.), and/or something you are (fingerprints, facial recognition, etc.). Unfortunately all authentication factors are not equally secure. It doesn’t matter how many are used if they are all weak. Password-based systems are insecure, as shown by increasing digital fraud rates, and inconvenient, as anyone who has lost their bank account password can attest.
On the other hand, as the Mastercard study states, “Biometrics are an alternative that offer potential usability improvements, while retaining or improving the security guarantees. The user study shows that users (>90 percent) believe biometrics are more secure and convenient than passwords, and that they are willing to adopt biometrics to replace existing password-based authentication.”
In addition to all this there’s the problem of the lack of a common data format. Currently the data formats are as varied as solution providers. Because of this switching systems will be more difficult and more expensive. Further, it makes it difficult to share information among financial institutions, hindering KYC and AML efforts.
Additionally, the absence of a shared implement-by date puts customers at risk as long as the systems aren’t up and running.
It is no secret that technology is evolving faster than regulators can respond to. Specific standards generally take several years to establish and as a result may be out of date long before they can be implemented. The requirements suggested here aren’t so specific as to fall prey to that. They are more like the codification of best practices. Requiring MFA is a huge step forward when it comes to security. Now regulators should take the next step forward by necessitating financial institutions and solution providers adopt these common sense changes.