THE ROLE OF ADVANCED

AUTHENTICATION

Crossmatch’s Michel Nerrant on Improving Security Without Adding Friction

IN CYBERSECURITY FOR CREDIT UNIONS AND BANKS

Nerrant, a financial services cybersecurity expert, says credit unions walk an especially fine line when improving cybersecurity, between staying in compliance with regulatory requirements, without adding friction and complexity to the member experience.

“This is the industry where security is very important, but a frictionless experience for users is probably even more important,” Nerrant says. “It’s all about providing the right level of security for every channel, every user, at the right moment.”

In an interview about deploying multifactor authentication at credit unions, Nerrant discusses:

• What’s unique about the credit union employee and member base;• How new biometric authentication solutions can improve security;• How Crossmatch is helping its customers overcome challenges and deploy multifactor

authentication.

Crossmatch is a world leader in risk-based composite authentication and biometric identity management solutions. Crossmatch DigitalPersona solutions address a range of concerns in today’s rapidly changing security climate —from preventing data breaches by eliminating passwords, to ensuring the safety of citizens. Crossmatch helps enterprises and government around the world strengthen security through composite authentication.

Michel Nerrant

Nerrant is responsible for business development with Crossmatch in the financial services market. He brings over 25 years of experience in driving identity management solutions within the government and enterprise sectors. Prior to Crossmatch, he held business development and sales leadership roles at identity management and IT security companies including Schlumberger, ActivIdentity, IdentiPHI and WinMagic. He has managed numerous international deployments in physical access and security. Nerrant was responsible for the deployment of the largest North American automated parking point of sale (POS) system and managed the development of the first unattended Light Rail POS incorporating online credit card payment in the United States.

Credit unions offer unique services to a unique member base—and they face unique challenges when rolling out multifactor authentication across all of their banking channels. Michel Nerrant of Crossmatch—a long-standing industry leader in authentication and identity management solutions—discusses how new biometric solutions can meet credit union needs.

The Role of Biometrics in Multifactor Authentication 2

TOM FIELD: To start with, let’s talk about credit unions. What do you find to be unique about these institutions and how they approach cybersecurity for their members and employees?

MICHEL NERRANT: Well, Tom, credit unions, much like any financial institutions, are prone to cyberattacks and fraud. But what makes credit unions unique are a couple of things. Usually small institutions tend to focus more on customer service. Therefore, enhancing security in a frictionless manner is very important to them. Credit unions’ customer base tends to also be an older population than average retail banks. That makes for a unique challenge. We are talking about a population that may not always be technology-savvy and may be prone to phishing or account takeover attacks. So, being able to protect those customers, internal and external, is quite a unique challenge for them.

Multifactor AuthenticationFIELD: Well, that’s great context. Given what you’ve told us, what are the unique factors that need to be considered when institutions roll out a multifactor authentication solution to these unique constituents?

NEERANT: Multifactor authentication, also known in the industry as MFA, is a great technology and it has been known for many, many years but has yet to become a common practice due to its complexity and friction. Credit unions have a very complex ecosystem of internal and external customers. In addition, they have numerous channels—branches, ATMs, internet banking, mobile banking, and on and on. Therefore, they have to look into a solution that has not only provided multifactor authentication, but it also integrates across all those channels and platforms at every moment.

Stepping Up SecurityFIELD: Michel, how do you find that credit unions are approaching the quandary of stepping up security, but at the same time, not adding any friction to that customer experience?

“Credit unions have a very complex ecosystem of internal and external customers.”

The Role of Biometrics in Multifactor Authentication 3

NEERANT: This is an industry where security is very important, but frictionless is probably more important. So, it’s all about providing the right level of security for every channel, every user, at the right moment.

Let’s take the example of a teller, sitting at the branch using two-factor authentication methods as they work in the morning for the first time. And as the day goes on, going to use biometrics to authenticate. It’s a good example of how multifactor authentication can be used in a context where you control the environment and still bring the convenience of biometrics.

Now if you take the same experience for a customer who might not be that versed in technology, or [might not be able] to use a technology such as biometrics or a physical token to authenticate, [you must] keep in mind that frictionless is all about using machine learning technology to look into the behavior of that customer and apply the right level of security at the right moment. For example, we look into the way a customer transacts, or even how they type their information, their account numbers and password and so on. If something is amiss, then and only then we can step up the authentications and ask for a second factor. In other words, using friction only when necessary. It is not to be said the behavior is only to be used for external customers; it can also usually be used for internal customers as well. But the conjunction of those two technologies allows for a very unique experience that is very suited for credit unions.

Biometric-Based SolutionsFIELD: Well I’m glad you brought up biometrics solutions. Talk to me a bit about some of the new biometric-based solutions. I’m thinking fingerprint, palm print, keyboard behavioral authentication. How do these factor into credit union plans going forward?

NEERANT: Biometrics is very important for many reasons and should be part of the credit union’s security features moving forward. Biometrics may not be used in the same context every channel, as was just discussed. Imagine using a physical device, on a mobile phone, for example. It’s not practical; it’s not usable even though it would be great from a security standpoint. Again, it may not be usable and feasible.

So it’s all about using the right technology at the right time and at the right moment. From an employee standpoint, using biometrics

is going to speed up the log-in process by removing the headache of forgetting passwords right after a long weekend, or holidays, or even when those have to be reset. It is fast, it is easy to use and it adds security. It’s a great technology.

Behavioral biometrics brings a second dimension to security by providing a frictionless, risk-based analysis and subsequently, asking the users, internal or external, for additional authentications only when needed. So, biometrics can be used …by a customer to unlock their phone or unlock their applications, but then something’s wrong in the way they’re typing their account numbers or typing their pin numbers. So in that case, the account can be locked; the account or the customer can be asked a second question—something only they know. So there are many ways to handle that step of authentication depending on the banks’ own policies.

In my opinion, machine learning biometrics in conjunction with traditional biometrics, such as fingerprints or palm prints … definitely should be part of the future of the security implementations for credit unions.

Crossmatch’s RoleFIELD: Well, talk to me a bit about Crossmatch now. How are you helping credit unions to deploy some of the multifactor authentication solutions we have talked about here today?

NERRANT: With over 20 years in the security and biometric industry, and with hundreds of credit unions as customers, it’s all about listening to our customers and building together a solution that meets their needs. DPCA, or digital persona composite authentication platform, is easy to deploy and is designed to sit on Microsoft infrastructure, making it easy for the bank’s IT staff to learn and to use. It’s a platform; that’s what you have to keep in mind. And therefore, it’s built by design to be scalable and adaptable to bring the best technologies or modalities under one authentication engine.

All multipoint integration technologies truly allow the authentication of users, internal or external, right from PC log-in to legacy applications, all the way to green screen or using API to connect with third-party solutions. For example, we provide an authentication platform to banking software using APIs and … other technology for those banks using cloud-based applications, such as Microsoft Office 365, for example.

So once again, the goal of a platform is truly to cover all the digital channels those banks have with one platform. n

Listen to the full interview: https://www.bankinfosecurity.com/interviews/role-biometrics-in-multifactor-authentication-i-3786

“It’s all about using the right technology at the right time and at the right moment.”

The Role of Biometrics in Multifactor Authentication 4

902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information security and risk management. Each of our 28 media properties provides education, research and news that is

specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Our annual global Summit series connects senior security professionals with industry thought leaders to find

actionable solutions for pressing cybersecurity challenges.

Contact

(800) 944-0401 • sales@ismg.io