Could the future of financial services be password-free? This startup founder thinks so
In the world of cybersecurity, threats abound. But one of the most common and persistent risks for financial service and other firms is generated by customers themselves: Weak and guessable passwords. Even as financial institutions add additional layers of security, passwords often remain part of the picture.
But what if the future could be wholly password-free? That’s the mission of one cybersecurity expert and startup founder, Ori Eisen. His Scottsdale, Ariz.-based company, Trusona, has developed a login app that eliminated the username and password status quo. And whether companies choose his solution or something else, Eisen says passwords have got to go.
“The cost of doing nothing is now too high,” says Eisen, who also founded the fraud prevention tech company 41st Parameter, which he sold to Experian. “We have to take a proactive – instead of reactive – approach to cybersecurity, otherwise we’re just continually helping the wrong side.”
Tired of passwords? So is everyone
Passwords pose a security risk to financial service organizations for a whole host of reasons. First off, is the fact that users typically don’t create the complicated, hard-to-crack passwords that every CISO or CIO hopes that they will. Case in point: After analyzing 10 million leaked passwords, security firm Keeper revealed that the most common is “123456.” Keeper also reported that seven of the top 10 most common passwords are just six characters, meaning that password-cracking software can unscramble them in mere seconds.
Why are consumers so uninspired, or perhaps unmotivated, when it comes to developing more challenging passwords? In a 2016 cybersecurity study by the National Institute of Standards and Technology, more than half of the participants had symptoms of so-called security or password fatigue. “Participants expressed a sense of resignation, loss of control, fatalism, risk minimization, and decision avoidance,” when it came to online account security and passwords. Basically: Many consumers are tired of making new passwords, and not certain it does much to protect them anyways.
Unfortunately, even as security technology begins to include more multi-factor authentication tools, passwords remain a part of process. And obtaining and selling them is still big business for hackers and other cyber criminals. “Static passwords are a security risk; you have to store them and once you do, you’ve created a honeypot that bad guys can access,” says Eisen, who also worked as the former Director of Fraud for American Express and Verisign.
Like the Internet—but password-free
The risk, frustration and fatigue around account passwords hasn’t escaped financial service security leaders, who are exploring new ways of authenticating users that attempt to bypass passwords. For example, Transamerica announced earlier this year that its customer call centers were switching to voice biometrics, allowing the company to identify clients by the sound of their voices. Edward Jones also debuted a new security feature that allows its customers to sign into to their accounts via their thumbprints.
Eisen’s company, Trusona, developed a multi-factor authentication approach with levels of security that increase depending on the type of user. “The biggest problem with the Internet is that you don’t know who is on the other end,” Eisen says. The company offers three levels of authentication that aim to solve this. At its base, clients sign into a mobile app with a PIN code or their thumbprint. The company, which recently closed a $10 million Series B funding round led by Microsoft Ventures, then uses an additional patented technology to authenticate users and ensure that no login can be reused.
The elite level incorporates the biometrics, patented no-replay technology and then adds an in-person identify verification step that includes physically meeting and providing documents such as a passport. After an elite user completes this one-time identity proofing, Trusona installs a token that only works on that user’s device. As an added measure, the company has insured the entire process, working with underwriters to provide a $1 million payout in the instance an unauthorized person accesses an elite user’s account. “We’re piloting all levels of the product,” Eisen says. “The elite level is usually for employees that have access to incredibly sensitive information or the ability to authorize significant financial transactions.”
With millions of customers and billions of dollars at risk, financial service firms are certainly paying attention to cybersecurity issues, and potential improvements. Still, there are barriers within the traditional business model that can make taking proactive action challenging.
For example, Eisen notes that the fiserv industry is usually about two to three years behind the latest technology. Why? That’s largely because of the procurement process that many large institutions follow to acquire new vendors. He explains: “Let’s say today that a new malware was discovered and that the same day a third-party vendor finds a way to fix it. So there’s zero days to find a cure. If that same day a big bank looks for a vendor to help, it can take three months to select a vendor, three months to pilot the program, three months to install the software. Then you still need to train people.”
Meanwhile, Eisen notes, cybercriminals can turn on a dime. “So we’re in a constant state of catching up,” he says. “What the industry needs to do is start to leapfrog over the threats, in order to be prepared.” And for this startup founder – and increasingly for financial service and other industry CISOs – that means finding ways to eliminate passwords as a component of cybersecurity.