Everyone is familiar with the pain of waiting in the Transportation Security Administration (TSA) lines when traveling; taking off shoes and even getting hands swiped for explosive residue before being allowed to reach the gate at the airport. Created in response to the September 11 attacks to improve and consolidate air travel security, some of these methods may seem clunky and slow. TSA’s methods of authenticating identity, however, are seamless and nearly invisible to travelers. Similarly, banking institutions are also changing authentication to improve user experience without putting identity or sensitive information at risk.
How TSA and banks authenticate
Increasingly, TSA and banks request to see only a driver’s license but are still confident that they have authenticated someone’s identity securely. TSA uses credential authentication technology (CAT) to confirm a traveler’s identity using government-issued identification credentials. CAT links to the Secure Flight database electronically to confirm identity and travelers’ flight details, display pre-screening status without requiring the traveler to show a boarding pass. CAT also detects fraudulent IDs and eliminates concerns related to boarding pass fraud. TSA is also beginning to leverage biometrics, adopting digital identity initiatives in place of a physical ID or boarding pass to verify identity when passengers are dropping off a bag, going through a security checkpoint, or checking in at the boarding gate. (Note: TSA still requires a physical ID in case a digital ID cannot be verified.) All of this happens in near real-time at security checkpoints — without placing any additional burden on travelers.
Banks, similarly impacted by September 11, must comply with the USA Patriot Act’s requirement for banks to obtain a copy of each customer’s photo ID to open, close, or complete a transaction on an account. These organizations have also implemented advanced identification verification systems to align with both the Patriot Act and the Know Your Customer (KYC) program, which are designed to protect financial institutions against fraud, money laundering, corruption and terrorist financing.
In addition to using a driver’s license or ID card for identity authentication, banks develop risk profiles for each customer based on their activities, behavior and characteristics to assess the likely potential of illegal activities. And as anyone who has had fraudulent account information flagged knows, banks also monitor transactions to determine whether transactions are consistent with each customer’s profile and activity as a way to identify suspicious activity. Increasingly, banks also use biometrics to authenticate users, by using:
- Facial recognition
- Fingerprint scanning
- Location data
- Mobile phone tracking
- Eye scanning
- Vocal patterns
- Behavioral traits
By utilizing a wide range of data points collected autonomously, financial organizations can confirm identities without requiring multiple manual inputs, making the authentication experience both more robust and more user friendly. These invisible methods don’t interrupt the banking experience but add a critical layer of protection for both customers and the banks themselves.
Authentication that’s hard to fake
Unfortunately, passwords alone provide neither identification nor authentication. And while multi-factor authentication (MFA) is important, MFA methods that still rely on passwords simply aren't enough. And, MFA using unencrypted SMS is vulnerable to attack, as are processes that use shared secrets (which are susceptible to phishing attacks). That means one time passcodes (OTP), push to text or email, and phone calls are not only annoying interruptions, they also don’t work to securely authenticate identity.
Leveraging relevant user data and biometric information as the TSA and banks do, enterprises can use behavioral analytics to authenticate workforce users across corporate IT resources. Invisible MFA systems can detect anomalies in user behaviors and flag them for investigation without interrupting legitimate users. MFA solutions can also use geo-location to validate identity, stopping hackers from distant locations, unrecognized locations and IP addresses known to be risky. Using multiple data points to authenticate helps security leaders ensure that their workforce is continuously authenticated, regardless of which work-related resources are being accessed.
Breadth of MFA is critical to thwarting attackers
As cybersecurity threats become increasingly sophisticated, it is critical for security leaders to neutralize attackers without placing an undue burden on individual employees. For many enterprises, the goal of implementing robust security controls and making it easy for employees to authenticate securely may seem impossible to achieve. Invisible MFA enables both secure authentication and seamless access to business-related resources.
TSA and banks continue to modernize their screening and authentication procedures and the technologies they use to both create more seamless experiences and serve the needs of a complex security ecosystem. Security leaders must approach authentication the same way, by using technology to verify identity in ways that cyber attackers can’t fake.