Why Financial Services Shouldn’t Wait for Regulators to Address Strong Authentication

September 15, 2021 5 minute read

Financial institutions face some of the most stringent and complex regulatory requirements, including financial service compliance requirements around authentication. So much so that the financial service industry is broadly considered the gold standard from a compliance perspective. To comply with existing regulations and thwart cyber attacks, financial institutions were early adopters of two-factor authentication (2FA) solutions. 

And yet, cyber attacks continue to rise – up 80% in 2020 – with threat actors inserting themselves into trusted data exchanges. How is this possible? Because mobile-based authentication continues to remain vulnerable to account takeovers, phishing, malware, SIM swapping, and man-in-the-middle attacks. As demonstrated in a recent VICE article, all it took was $16 for a white-hat hacker to redirect a text message and break into an online account.

Are today’s authentication standards compliant with existing financial services compliance requirements? Yes. Are they effective? No. Requirements and regulation will catch up to the need for hardware-backed strong authentication, but waiting for regulation is costly – for compliance, for risk, and even for growth. 

Trust is the cornerstone of success in financial services. With the current erosion of consumer trust and increasing fears of fraud, financial institutions are compelled to lean into new ways to demonstrate trust. Long before regulations catch up, modern strong authentication can become a competitive differentiator.  

Financial Services Regulatory Compliance Change on the Horizon

With scandals like Enron and Worldcom of the early 2000s that triggered the creation of the Sarbanes-Oxley Act, the global pandemic – and its rise in remote work and cyber attacks – is the latest crisis to trigger regulatory change. And in fact, just last month, the FFIEC Handbook was updated for the first time in 10 years to reflect new authentication guidance. 

An example of this is PCI DSS. The Payment Card Industry Data Security Standard (PCI DSS) officially took a stand on requiring MFA in its 2016 update, PCI DSS 3.2 and subsequent revisions. In the information supplement related to MFA, which is mandated for Requirement 8.2 and 8.3, the PCI Security Standards Council sets forth the minimum requirements for authentication and cryptographic tokens (based on NIST SP 800-164 and NIST SP 800-157). 

With PCI DSS 4.0 in final RFC in 2021, it is expected that revised financial services compliance requirements will more closely resemble the NIST 800-63 Digital Identity Guidelines, which separates identity assurance from authenticator assurance, deprecates SMS as a one-time-password (OTP) authentication, and provides a framework for quantifying authenticator security. Under NIST 800-63, technologies that rely on FIDO2 & FIDO U2F are granted the highest level – Authenticator Assurance Level 3 (AAL3). 

The shift toward strong authentication is happening across the board in the regulatory landscape. In the EU, the proposed framework for eIDAS (Electronic identification, Authentication and Trust Services) digital identity proofing is a hardware-backed MFA. The draft Digital Operational Resilience Act (DORA) regulation is also likely to refer to NIST. And there’s the supply chain attack on SolarWinds that resulted in a recent Executive Order on Improving the Nation’s Cybersecurity. With each new regulation, greater clarity and specification around authentication are being introduced. 

Will more changes be coming? The answer is, emphatically, YES. At this pace, without a proactive focus on strong authentication, enterprises are likely to be left playing catch-up.

Yubico Modern Strong Authentication

The YubiKey is a hardware security key manufactured by Yubico, that offers easy-to-use two-factor, multi-factor, and passwordless authentication at scale, helping financial institutions with financial services compliance requirements (MFA)across various regulations, certifications, and frameworks. A FIDO2 / WebAuthn / FIDO U2F compliant authenticator, the YubiKey offers the strongest defense against account takeovers, phishing, malware, SIM swapping, and man-in-the-middle attacks. 

With the YubiKey, financial institutions can:

  • Stop account takeovers and prevent man-in-the-middle attacks with superior hardware cryptographic security
  • Provide unmatched simplicity for users with 4x faster logins that ensure proof of presence and possession
  • Comply with existing and emerging regulations such as FFIEC, SOX, PSD2, PCI, FIPS, and GDPR
  • Deliver trust to users and gain peace of mind with a trusted solution from an industry leader pioneering global authentication standards

YubiKeys can be used to stop phishing attacks and account takeovers for a variety of internal and end-customer use cases such as privileged users, call center workers, hybrid and remote workers, online/mobile banking, and for high-risk high-value transactions. To authenticate, users simply tap/touch their security key to any kind of device, including mobile phones and tablets. 

Faced with increasing cyberattacks, a solid bedrock of authentication provides much more than financial services regulatory compliance – it provides a competitive advantage. Deploying YubiKeys enterprise wide, or as a stronger TOTP alternative, helps reduce the incidences of cyber attacks that shake consumer trust – and there are few competitive differentiators more important in financial services than trust. 

To learn more about how leading financial institutions are adopting MFA to comply with the changing financial services compliance requirements and consumer expectations, read our whitepaper Modern strong authentication and compliance for Financial Services: How the YubiKey meets global Financial Services regulations.

Share this article:

Recommended content