The procedure of confirming a person's or an entity's identification is referred to as ""authentication."" The authentication procedure is one tool used to regulate access to corporate customer accounts and transaction processing inside the realm of corporate e-banking systems. Corporate customer users must normally provide proper identification information, followed by one or more authentication credentials (factors), in order to be authenticated.
User ID, password, or a user ID/token device are all examples of customer identifiers. An authentication factor is a piece of private or distinctive data connected to a particular customer identify that is used to confirm that identity (examples include PINs, passwords, and token response algorithms).
Customers are typically required to produce some type of identity proof in order to be authenticated. One or more of the following is included in authentication factors:
Something that a person is aware of, usually a PIN or password. Access is provided if the user enters the right PIN or password.
Something a person possesses, most frequently a tangible object known as a token. Devices with a small screen where a one-time password (OTP) is displayed or can be created after entering a PIN and which the user must enter to be authorized are examples of tokens. These devices must be physically connected to a computer.
Something that a person is, most frequently a physical trait like a fingerprint. This sort of authentication is known as ""biometrics,"" and it frequently necessitates installing particular hardware on the system being accessed.
There are numerous, simple, and complicated authentication mechanisms. Depending on the technique utilized and how it is deployed, a different level of security is offered. To validate a customer's identity and enable corporate e-banking users to authorize payments, multifactor authentication uses two or more factors. For high-risk circumstances, authentication approaches based on numerous criteria should be taken into consideration because they can be harder to compromise. A given authentication method's efficacy depends on the reliability of the process or product chosen as well as how it is implemented and handled.
A person's ""something""
Biometric technologies use a physiological characteristic to identify or verify the identity of a living person (something a person is). The anatomy of the face, the iris, and fingerprints are examples of physiological traits. Enrollment is the procedure of adding users to a biometrics-based system. As part of enrollment, data samples are obtained from one or more physiological features, translated into a mathematical model, or template, and registered into a database on which a software application can do analysis.
Customers engage with the biometrics technology's live-scan procedure after enrolling. The customer is recognized and verified using the live scan. A live scan's output, like a fingerprint, is compared to the registered templates that are kept in the system. The customer gets authenticated and given access if there is a match.
A multifactor authentication system may combine a biometric identification, such as a fingerprint, with a password or token (something the user is aware of) (something a person has). Currently, most banks in Pakistan utilize two-factor authentication, which combines a user ID and a PIN or token.
The minutiae—ridge ends and bifurcations or branches in the fingerprint ridges—as well as the global pattern schemata on the fingerprint are both analyzed by fingerprint recognition technology. The incredibly dense data retrieved from fingerprints explains why fingerprints are a very reliable form of identification. Images of actual fingerprints are not stored by fingerprint recognition systems; only data detailing the minute details of each fingerprint is.
For high-risk transactions requiring access to client information, the transfer of funds to third parties, or other financial activities, banks in Pakistan that offer Internet-based products and services to their consumers should employ appropriate procedures. The banks' authentication methods must be compatible with the risks involved in providing such goods and services. Single-factor (such as ID/password) authentication vulnerabilities are frequently the cause of account fraud and identity theft. Banks should employ multifactor authentication, layered security, or other safeguards that are reasonably calculated to mitigate such risks in situations when risk assessments show that the use of single-factor authentication is insufficient.
Even though some banks, particularly the major international banks, have begun to employ two-factor authentication, additional precautions must be taken to ensure information security in order to prevent any unforeseen events that could cause the bank to suffer financial loss and damage its reputation.
Banks authenticate consumers using a range of technologies and procedures. Customer passwords, personal identification numbers (PINs), digital certificates employing a public key infrastructure (PKI), physical devices like smart cards, one-time passwords (OTPs), USB plug-ins, or other kinds of tokens are some of these techniques.
Biometric identification, in addition to these methods, may provide additional benefits for two-factor authentication:
A) as an extra measure of security
b) Cost-efficient
Two fundamental variables are involved in the current authentication procedures employed in Pakistani banks:
1. A fact about the user (e.g. password, PIN)
ii. A characteristic of the user (e.g. smart card, token)
This research article suggests using a biometric layer—such as a fingerprint—in addition to the ones mentioned above.
Thus, when this is included, the following authentication procedures result:
1. A fact about the user (e.g. password, PIN)
ii. A characteristic of the user (e.g. smart card, token)
iii. Something the user is (e.g. biometric characteristic, such as a fingerprint)
The success of a particular authentication method depends on more than the technology. It also depends on appropriate policies, procedures, and controls. An effective authentication method should have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans.
2. Methodology
The methodologies applied in this paper build on a two-step approach. First, through my past experience working in Cash Management department of a leading multinational bank, implementing electronic banking solutions for corporate clients throughout Pakistan and across geographies.
Secondly, consulting and interviewing friends working in Cash Management departments of other banks in Pakistan and Middle East for better understanding of the technology used in the market; its benefits and consequences for successful implementations.
3. Implementation in Pakistan
Biometric Payment Authentication (BPA) i.e. biometric characteristic, such as a fingerprint for authorizing financial transactions on corporate e-Banking platform implementation in Pakistan will be discussed in this section. First the descriptive, then the economic benefit analysis for adopting the presented methodology.
As technology is very much advanced today, fingerprint scanners are now readily available on almost every laptop or a stand-alone scanning device may be attached to a computer. Also with the advent of smart phones, now the fingerprint scanner is available on phones as well (e.g. Apple iPhone, Samsung mobile sets etc)
In Pakistan, end users shouldn't have trouble using a fingerprint-scanning device on a laptop or on a smart phone as all work which needs to be done has to be done by banks introducing this methodology.
Besides this Pakistan is a perfect location to implement biometrics based authentication, mainly because:
a. CNICs are issued after taking the citizen's biometric information - especially fingerprints
b. Telco companies needs to maintain and validate an individual's fingerprints before issuing a SIM card
These examples show that a large population Pakistan is already familiar and comfortable with biometrics (fingerprints) methodology. However, banks have to develop their e-banking portal or application in accordance with and by accepting fingerprints for corporate users. The e-banking portal would invoke the fingerprint device of the end user for either login or authenticating financial transactions. Enrollment can be performed either remotely through first time login into e-banking platform after user has received setup instructions and passwords or at the bank's customer service center.
This article suggests banks in Pakistan to move multifactor authentication through PIN and; fingerprints. Fingerprints are unique and complex enough to provide a robust template for authentication. Using multiple fingerprints from the same individual affords a greater degree of accuracy. Fingerprint identification technologies are among the most mature and accurate of the various biometric methods of identification.
Now let's discuss the economic benefits of using PIN and; fingerprints instead of token devices for authentications. And before we deep dive into the statistics, first just look into the current process of token inventory ordering to its delivery to the end user and then its maintenance if any token is lost or faulty.
Mostly banks in Pakistan order and import tokens from a US based company called 'VASCO Data Security International Inc.'. Once order is placed, the VASCO ships the token to the respective ordering bank and the bank receives the tokens after clearing the custom duties. Banks settles the invoices of VASCO by sending back the amount through outward remittance along with the courier charges. Banks then initialize the token and upon customer written request issues the token to an end user. The token is couriered to the end user and training is conducted via phone or physical visit of the bank's representative to the customer office. Any lost or faulty token are replaced with new ones and again couriered to end users. Tokens are returned back to banks if any end user resigns their organization or is being moved into some other role that doesn't involve banking related operations or use of e-banking platform.
Theoretically it seems pretty simple, but practically these are very time consuming activities and cost is associated to each and every step mentioned above.
Now, let's do some cost calculation which are associated to the above activities and build some statistics so that cost benefit analysis can be done.
Currently, some of the banks in Pakistan, locally, have introduced fingerprint recognition technologies to authenticate ATM users and are in the phase of eliminating the need for an ATM card which will eventually help banks in cost saving of replacing lost or stolen cards.
Cost calculations are approximations and not to be taken as true cost for any budgeting.
3.1. Descriptive Statistics
The descriptive statistics for token inventory ordering to its delivery to the end user and then its maintenance if any token is lost or faulty (statistics built on roughly 1000 tokens consumption per year per bank) are shown in the below statistics.
Descriptive Statistics
Tokens Cost (1000 tokens) 15,000USD (1,569,000PKR)
Custom Duty 4,610USD (482,206PKR)
Courier to End User 922USD (96,441PKR)
Training Cost 7376 (771,530PKR)
Total 27908USD (2,919,177PKR)
The above stats shows that, approximately 28000USD (amount in USD rounding off to thousands) is spent on tokens by a single bank which can easily be saved if the token is replaced by fingerprints. It's not only cost saving for a bank but also ease off banks in administration and maintenance.
Forex interbank rates as of December 23, 2016 http://www.forex.com.pk
4. Change Management Grid
Stage One: """"Coming to Grips with the Problem""""
Mind-set (Thinking/Understanding)
a. Currently banks are paying lots of cost on physical token purchasing which can easily be eliminated by using biometric methodology such as fingerprints.
Motivation (Emotional/Intuitive Dynamics)
a. The current old methodology of token ordering takes time and cost till it reach banks. Then specific training needs to be conducted for end users for token device activation and usage. Maintenance is another huge activity for banks. As biometric scanners are easily available on laptops and smarts phone therefore this new change is easily achievable without any huge cost. Fingerprint authentication will ease end users from remembering too many password and they have not to carry the physical devices along with them all the time.
Behavior (Capability)
a. Banks in Pakistan needs to be visited and proper presentations will be conducted to brief their I.T. team with this easy to and; secure technology, finance team for the cost benefits and to their operations team about reducing their operation maintenance.
b. Demos will also be arranged to show in live how this new technology assist banks.
c. End user will have to use fingerprint to login or authenticate transactions instead of using physical tokens.
Stage Two: """"Working through the Change""""
Mind-set (Thinking/Understanding)
a. Biometric authentication will help banks to reduce cost and reduce operational hassle. This technology will also ease off end users with their day to day e-banking activities. Proper training to the bank concerned team will be conducted. End user will also be guided with the fingerprint enrollment.
Motivation (Emotional/Intuitive Dynamics)
a. Banks has to invest first to adopt this new technology but this will eventually help them to reduce the recurring cost and operational maintenance.
b. End users will no more have to carry any gadgets and will perform banking activities with a touch of a finger.
Behavior (Capability)
a. Post implementation reviews will help banks about the feedback of their customer whom have started using the new technology and client experience will help banks to enhance their product.
b. With fingerprint technology, corporate customer will no more have to pay any additional cost for requesting tokens.
Stage Three: """"Attaining and; Sustaining Improvement""""
Mind-set (Thinking/Understanding)
a. Banks to hold Client experience forums which will assist them on customer feedbacks and also give new ideas on any future enhancements.
b. Banks to update Departmental Operating Instructions (DOI) for employees, emphasizing on their roles and responsibilities across this new technology.
Motivation (Emotional/Intuitive Dynamics)
a. Banks can launch reward campaign for employees who will successfully migrate the e-banking users from token to fingerprints technology.
b. Likewise some promotion of fee waivers can also be offered to customers for availing this technology.
Behavior (Capability)
a. Training and; retraining to be conduct for any new bank staff or existing staff to emphasize the benefits of biometric authentication.
b. Customer can be retrained or refreshed about this technology by send regular product brochures and short videos on trainings.
c. Quarterly feedback will be conducted across all customers to assess their knowledge for the biometric authentication and gather new ideas on future enhancements.
5. Monitoring / Evaluating
Banks being a service oriented industry always focus on 'Customer First'. Through client experience forums customer feedbacks will be attained and issues, if any, faced will be addressed through keen follow-ups and final feedback on will be taken from customer upon resolution.
Post implementation review will give a clearer picture of the new biometric methodology implemented and will also get further view points for future enhancements.
6. Conclusion
This study aims to examine the replacement of physical token usage of corporate e-banking platform users with the end users fingerprints for their login into e-banking channel and financial transactions authentication. Findings of this study reveal that this new technology will not be only beneficial for the banks in cost and; maintenance perspective but will also ease corporate end users with a peace of mind of not remembering too many passwords or carrying the physical token wherever they roam.""" - https://www.affordablecebu.com/
