Remember when companies used painfully slow and expensive wire transfers? When small businesses wasted time and money maintaining checking accounts? When investments in stock markets were only for those with deep pockets? Luckily, FinTechs came onto the scene and changed all of that! However, for an industry that is under the security spotlight, why aren’t FinTechs using strong authentication?
Firstly, what are FinTechs?
To make sure we’re all on the same page, let’s quickly cover what FinTechs actually are. FinTechs are tech-savvy, young and relatively small companies that bring newly-developed digital and online technologies (and new business models) to the banking and financial services industries. Yes, FinTechs are start-ups born to challenge banks and other incumbents.
A range of different services are offered by FinTechs: instant money loans, micro investments, checking accounts with lower fees, flexible insurance services – the list goes on. An increasing number of internet services like CNote, Holvi, Mash, Metromile, Raisin and TransferWise are gaining popularity. Why would you do business with a bank if a FinTech offers you a faster, more convenient, more affordable service that better suits your specific needs? At least that’s their promise.
Personally, I have used certain FinTech services for more than three years and I’m satisfied so far. What surprises me today is that even though these services make significant money transactions, the bulk of them use weak authentication methods.
Authentication and FinTechs
With most financial applications and services, there are two steps in which a user must be authenticated:
- when a person logs in to the service, and
- when a person confirms a transaction.
Login to the service
FinTechs overwhelmingly rely on username and password as the main authentication method. Then social identities (Facebook, Google, LinkedIn) come in second place. Some offer basic password-less login – e.g. a “login link” option, that asks for your email address and sends a one-time login link to your mailbox.
You might have logged in with username and password and you can see your account balance, your latest transactions etc. Now, what happens if you have to confirm a new transaction? Once you want to make a payment or change your details, the system should ask you for step-up authentication. FinTechs’ most common technique for transaction confirmation is SMS OTP (SMS one-time password) or similar. It forces you to prove that the mobile device registered with your account is to hand at the time of the transaction. This is better than just a password, but its security strength is still questionable.
Is this strong enough?
Sometimes the value of transactions is small and social login authentication could meet both convenience and security expectations. However, any service that deals with significant money transactions should use a combination of strong authentication and step-up authentication. It’s great to see that many governments now share the cybersecurity industry’s opinion and concerns, introducing laws to enforce better protection for companies and their users. The EU’s Payment Services Directive 2 (PSD2) requires strong authentication for services that hold confidential data, or for high value transactions. The directive became applicable in January 2018 for all EU countries. In short, PSD2 addresses two goals:
- make internet payment services easier and safer to use, and
- protect consumers against fraud, abuse, and other identity problems.
So why aren’t FinTechs using strong authentication?
If strong authentication is so important, and actually required by PSD2 and other regulation, why are FinTechs not using it? Here are the two main reasons for this surprising omission:
Banks are owners of strong authentication methods
In countries such as Finland and Sweden, the most commonly adopted strong authentication method is bank identification. Therefore, if FinTechs aim to challenge and disrupt banks, how can they use services provided by banks? Plus, bank authentication transactions are considerably more expensive than weaker methods. This is also why the method is rarely used by small to medium online shops.
There are no globally available strong authentication methods
The most proven strong authentication methods are country-specific and do not have global reach: bank ID, national ID cards, mobile PKI etc. This makes it extremely complicated for FinTechs that aim for a global presence. What could be the solution then? GSMA Mobile Connect is a global and federated digital identity solution based on a mobile subscription and OpenID Connect. It is a promising solution for the near future and is a service designed for mobile from its inception. FIDO also seems like a suitable solution that FinTechs can directly and independently implement and thus deliver the missing security element. Both Mobile Connect and FIDO are password-less by design.
What’s next for FinTechs?
FinTechs are not offering strong authentication methods today. We can’t fully blame them as reliable third-party strong authentication is not even available in all countries, meaning that FinTechs are not necessarily neglecting it. Yet FinTechs can build a partnership with other non-directly competing services, such as mobile operators. In conclusion, we expect that in 2019 FinTechs will take more initiative and partner with technology players. So one way or another they should provide better security to consumers in the near future.