The process of verifying a person's or entity's identity is referred to as authentication. The authentication process is one method used to control access to corporate customer accounts and transaction processing within the domain of corporate e-banking systems. Corporate customer users are typically required to provide valid identification data, followed by one or more authentication credentials (factors) to prove their identity.
Customer identifiers could be a user ID/password or a user ID/token device. A secret or unique information linked to a specific customer identifier that is used to verify that identity is referred to as an authentication factor (e.g., PIN, password, and token response algorithm).
Customers are typically authenticated by requiring them to present some form of identification. One or more of the following are authentication factors:
Something that a person is aware of, such as a password or PIN. Access is granted if the user enters the correct password or PIN.
Something a person possesses, most commonly a physical device known as a token. Tokens are self-contained devices that must be physically connected to a computer or devices with a small screen that displays or generates a one-time password (OTP) that the user must enter to be authenticated.
Something that a person possesses, most commonly a physical characteristic such as a fingerprint. This type of authentication is known as """"biometrics,"""" and it frequently necessitates the installation of specific hardware on the system to be accessed.
There are numerous authentication methodologies, ranging from simple to complex. The level of security provided varies depending on the technique used and how it is deployed. Multifactor authentication uses two or more factors to verify a customer's identity and authorizes payments for corporate e-banking users. Authentication methods based on multiple factors can be more difficult to compromise and should only be used in high-risk situations. The effectiveness of a specific authentication technique is determined by the integrity of the chosen product or process, as well as how it is implemented and managed.
'Something that a person is.'
Biometric technologies identify or authenticate a living person's identity based on a physiological characteristic (something a person is). Fingerprints, iris configuration, and facial structure are examples of physiological characteristics. Enrollment is the process of adding people to a biometrics-based system. Enrollment involves taking data samples from one or more physiological characteristics, converting the samples into a mathematical model, or template, and registering the template in a database on which a software application can perform analysis.
Customers interact with the biometrics technology's live-scan process after enrolling. The customer is identified and authenticated using the live scan. The results of a live scan, such as a fingerprint, are compared to the system's registered templates. If a match is found, the customer is authenticated and given access.
A biometric identifier, such as a fingerprint, can be used in conjunction with a password (something a person knows) or a token as part of a multifactor authentication system (something a person has). Currently, most banks in Pakistan use two-factor authentication, which includes a PIN and a token in addition to a user ID.
Fingerprint recognition technologies examine global pattern schemata on the fingerprint as well as minute unique marks known as minutiae, which are ridge endings and bifurcations or branches in the fingerprint ridges. The information extracted from fingerprints is extremely dense, which explains why fingerprints are such a reliable method of identification. Fingerprint recognition systems only save data that describes the exact minutiae of the fingerprint; images of actual fingerprints are not saved.
Banks in Pakistan that provide Internet-based products and services to their customers should employ effective methods for high-risk transactions involving access to customer information, the transfer of funds to third parties, or any other financial transaction. Banks' authentication techniques should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor authentication (e.g., ID/password) exploitation. Where risk assessments show that single-factor authentication is insufficient, banks should implement multifactor authentication, layered security, or other reasonably calculated controls to mitigate those risks.
Although some banks, particularly major multinational banks, have begun to use two-factor authentication, additional measures must be taken to avoid any unforeseen circumstances that may result in financial loss and reputation damage to the bank.
To authenticate customers, banks use a variety of technologies and methodologies. Customer passwords, personal identification numbers (PINs), digital certificates using a public key infrastructure (PKI), and physical devices such as smart cards, one-time passwords (OTPs), USB plug-ins, or other types of tokens are examples of these methods.
In addition to these technologies, biometric identification can provide an additional benefit for two-factor authentication:
a) as an extra layer of security
b) inexpensive
Existing authentication methodologies in Pakistani banks rely on two fundamental factors:
i. Something the user is familiar with (e.g. password, PIN)
ii. Something the user possesses (e.g. smart card, token)
In addition to the above, this paper research proposes the use of another layer that is biometric in nature, such as a fingerprint.
Adding this, we get the following authentication methods:
i. Something the user is familiar with (e.g. password, PIN)
ii. Something the user possesses (e.g. smart card, token)
iii. Something the user is interested in (e.g. biometric characteristic, such as a fingerprint)
The success of a particular authentication method is determined by factors other than technology. It also depends on the implementation of appropriate policies, procedures, and controls. Customer acceptance, dependable performance, scalability to accommodate growth, and interoperability with existing systems and future plans are all requirements for an effective authentication method.
2. Techniques
The methodologies used in this paper are based on a two-step process. First, I have prior experience working in the Cash Management department of a leading multinational bank, where I implemented electronic banking solutions for corporate clients across Pakistan and geographies.
Second, consulting and interviewing friends who work in Cash Management departments of other banks in Pakistan and the Middle East to gain a better understanding of the market technology, its benefits, and the consequences of successful implementations.
3. Pakistani Implementation
This section will discuss Biometric Payment Authentication (BPA), which is a biometric characteristic, such as a fingerprint, for authorizing financial transactions on corporate e-Banking platform implementation in Pakistan. First, there is a descriptive analysis, followed by an economic benefit analysis for using the presented methodology.
Because technology has advanced, fingerprint scanners are now available on almost every laptop, or a stand-alone scanning device can be connected to a computer. With the introduction of smart phones, fingerprint scanners are now available on phones as well (e.g. Apple iPhone, Samsung mobile sets etc)
End users in Pakistan should have no trouble using a fingerprint-scanning device on a laptop or a smart phone because all work must be done by banks implementing this methodology.
Aside from that, Pakistan is an ideal location for biometrics-based authentication because:
a. CNICs are issued after collecting biometric information from citizens, particularly fingerprints.
b. Telco companies needs to maintain and validate an individual's fingerprints before issuing a SIM card
These examples show that a large population Pakistan is already familiar and comfortable with biometrics (fingerprints) methodology. However, banks have to develop their e-banking portal or application in accordance with and by accepting fingerprints for corporate users. The e-banking portal would invoke the fingerprint device of the end user for either login or authenticating financial transactions. Enrollment can be performed either remotely through first time login into e-banking platform after user has received setup instructions and passwords or at the bank's customer service center.
This article suggests banks in Pakistan to move multifactor authentication through PIN and; fingerprints. Fingerprints are unique and complex enough to provide a robust template for authentication. Using multiple fingerprints from the same individual affords a greater degree of accuracy. Fingerprint identification technologies are among the most mature and accurate of the various biometric methods of identification.
Now let's discuss the economic benefits of using PIN and; fingerprints instead of token devices for authentications. And before we deep dive into the statistics, first just look into the current process of token inventory ordering to its delivery to the end user and then its maintenance if any token is lost or faulty.
Mostly banks in Pakistan order and import tokens from a US based company called 'VASCO Data Security International Inc.'. Once order is placed, the VASCO ships the token to the respective ordering bank and the bank receives the tokens after clearing the custom duties. Banks settles the invoices of VASCO by sending back the amount through outward remittance along with the courier charges. Banks then initialize the token and upon customer written request issues the token to an end user. The token is couriered to the end user and training is conducted via phone or physical visit of the bank's representative to the customer office. Any lost or faulty token are replaced with new ones and again couriered to end users. Tokens are returned back to banks if any end user resigns their organization or is being moved into some other role that doesn't involve banking related operations or use of e-banking platform.
Theoretically it seems pretty simple, but practically these are very time consuming activities and cost is associated to each and every step mentioned above.
Now, let's do some cost calculation which are associated to the above activities and build some statistics so that cost benefit analysis can be done.
Currently, some of the banks in Pakistan, locally, have introduced fingerprint recognition technologies to authenticate ATM users and are in the phase of eliminating the need for an ATM card which will eventually help banks in cost saving of replacing lost or stolen cards.
Cost calculations are approximations and not to be taken as true cost for any budgeting.
3.1. Descriptive Statistics
The descriptive statistics for token inventory ordering to its delivery to the end user and then its maintenance if any token is lost or faulty (statistics built on roughly 1000 tokens consumption per year per bank) are shown in the below statistics.
Descriptive Statistics
Tokens Cost (1000 tokens) 15,000USD (1,569,000PKR)
Custom Duty 4,610USD (482,206PKR)
Courier to End User 922USD (96,441PKR)
Training Cost 7376 (771,530PKR)
Total 27908USD (2,919,177PKR)
The above stats shows that, approximately 28000USD (amount in USD rounding off to thousands) is spent on tokens by a single bank which can easily be saved if the token is replaced by fingerprints. It's not only cost saving for a bank but also ease off banks in administration and maintenance.
Forex interbank rates as of December 23, 2016 http://www.forex.com.pk
4. Change Management Grid
Stage One: """"Coming to Grips with the Problem""""
Mind-set (Thinking/Understanding)
a. Currently banks are paying lots of cost on physical token purchasing which can easily be eliminated by using biometric methodology such as fingerprints.
Motivation (Emotional/Intuitive Dynamics)
a. The current old methodology of token ordering takes time and cost till it reach banks. Then specific training needs to be conducted for end users for token device activation and usage. Maintenance is another huge activity for banks. As biometric scanners are easily available on laptops and smarts phone therefore this new change is easily achievable without any huge cost. Fingerprint authentication will ease end users from remembering too many password and they have not to carry the physical devices along with them all the time.
Behavior (Capability)
a. Banks in Pakistan needs to be visited and proper presentations will be conducted to brief their I.T. team with this easy to and; secure technology, finance team for the cost benefits and to their operations team about reducing their operation maintenance.
b. Demos will also be arranged to show in live how this new technology assist banks.
c. End user will have to use fingerprint to login or authenticate transactions instead of using physical tokens.
Stage Two: """"Working through the Change""""
Mind-set (Thinking/Understanding)
a. Biometric authentication will help banks to reduce cost and reduce operational hassle. This technology will also ease off end users with their day to day e-banking activities. Proper training to the bank concerned team will be conducted. End user will also be guided with the fingerprint enrollment.
Motivation (Emotional/Intuitive Dynamics)
a. Banks has to invest first to adopt this new technology but this will eventually help them to reduce the recurring cost and operational maintenance.
b. End users will no more have to carry any gadgets and will perform banking activities with a touch of a finger.
Behavior (Capability)
a. Post implementation reviews will help banks about the feedback of their customer whom have started using the new technology and client experience will help banks to enhance their product.
b. With fingerprint technology, corporate customer will no more have to pay any additional cost for requesting tokens.
Stage Three: """"Attaining and; Sustaining Improvement""""
Mind-set (Thinking/Understanding)
a. Banks to hold Client experience forums which will assist them on customer feedbacks and also give new ideas on any future enhancements.
b. Banks to update Departmental Operating Instructions (DOI) for employees, emphasizing on their roles and responsibilities across this new technology.
Motivation (Emotional/Intuitive Dynamics)
a. Banks can launch reward campaign for employees who will successfully migrate the e-banking users from token to fingerprints technology.
b. Likewise some promotion of fee waivers can also be offered to customers for availing this technology.
Behavior (Capability)
a. Training and; retraining to be conduct for any new bank staff or existing staff to emphasize the benefits of biometric authentication.
b. Customer can be retrained or refreshed about this technology by send regular product brochures and short videos on trainings.
c. Quarterly feedback will be conducted across all customers to assess their knowledge for the biometric authentication and gather new ideas on future enhancements.
5. Monitoring / Evaluating
Banks being a service oriented industry always focus on 'Customer First'. Through client experience forums customer feedbacks will be attained and issues, if any, faced will be addressed through keen follow-ups and final feedback on will be taken from customer upon resolution.
Post implementation review will give a clearer picture of the new biometric methodology implemented and will also get further view points for future enhancements.
6. Conclusion
This study aims to examine the replacement of physical token usage of corporate e-banking platform users with the end users fingerprints for their login into e-banking channel and financial transactions authentication. Findings of this study reveal that this new technology will not be only beneficial for the banks in cost and; maintenance perspective but will also ease corporate end users with a peace of mind of not remembering too many passwords or carrying the physical token wherever they roam."""
