Financial services case study
About our financial services customer
This case study is about a large, well-known, global financial services company who has requested to remain anonymous for security reasons. This company is experiencing market-leading growth, providing quick, convenient, and reliable worldwide access to funds through mobile and online channels using a vast network with more than thousands of locations. These include retailers, international post offices, and banks in many countries.
Deploying strong authentication
As a leading financial services company with hundreds of thousands of money transactions happening on a daily basis, the company looked to incorporate strong two-factor authentication to protect systems from being compromised and guard against potential data and financial losses.
In late 2013, the company looked at solutions that required ease of use, broad integration options, and support across multiple languages and regions.
Choosing the YubiKey for two-factor authentication
The usage scenario is simple: with thousands of retail locations around the globe, they needed a seamless, low friction solution that allowed on-site authentication, where that physical authentication validates each transaction. Ease-of-use was a top priority and authentication had to be instantaneous — versus other forms of time-consuming techniques such as typing in one-time passcodes, or SMS codes that need to be received then entered, and would require a shared device among agent employees.
They chose the YubiKey Nano, Yubico’s smallest form factor for two-factor authentication. The YubiKey Nano is designed to be tucked nearly invisibly into a USB port, allowing users to authenticate with a simple touch on the edge of the key.
Users don’t need to know anything about the YubiKey Nano other than they touch it to complete transactions. The act of touching the key signifies an associate’s presence at a valid service terminal. This means any hacker trying to compromise the system would also need access to the associate’s terminal in order to touch the key to complete their nefarious work.
The company was familiar with the YubiKey for quite some time, and had previously looked into the technology. Additionally, with other technologies such as soft token and SMS, they realized that maintenance costs can be higher, requiring management of phones, carriers, and tokens.
Integration of the YubiKey
With a self-service software application, registration and setup of the YubiKey is completed easily at the company’s retail locations. Once setup is complete, two-factor authentication is activated when the associate touches the key for the first time to confirm the financial transaction. With that action, the key is then automatically and uniquely linked to that system, and will need to be touched to confirm all subsequent transactions.
With the large number of associates that the company wanted to roll out this technology to, they needed the setup to be as transparent as possible. They didn’t want associates to have to click a link, register a device online, or use any other labor intensive technique. With the YubiKey, they are able to automatically give all of the necessary information to validate and turn on two-factor authentication. They believe that what they have created is one of the easiest registration systems available.
User experience feedback
The global financial services company deployed YubiKeys in order to combat fraud and keep financial transactions secure. The additional layer of security — requiring the key be touched in order to validate a transaction — has been very well-received by the company’s associates. With the first rollout of 10,000 YubiKeys to just a portion of their employees, the company has estimated that they have saved more than US$12 million, and they are planning a significantly larger deployment.
User feedback from their associates has been excellent, because the process is so easy for them. To register the keys and initiate two-factor authentication is a painless process, unique to the YubiKey.
Sources