Credit Unions Have a Mobile, Desktop Validation Problem

Unrelenting fraud risks have prompted many credit unions to deploy hack-resistant mobile and desktop platforms. But, the increasingly complex user-authentication processes guarding some of those platforms is highlighting a growing tension between fraud mitigation and member convenience.

It’s tension many credit unions never intended to create — most don’t want to cause frustration when they require members to have different usernames and passwords for desktop access versus mobile access, for example, or when they use phone calls to authenticate a member’s online presence.

But recent research suggests some members are indeed losing their patience with complex or disjointed authentication requirements. About half (48%) the respondents in a FICO survey out last summer, for instance, said they were frustrated with two-step verification, and about eight in 10 said they didn’t see the need for what they considered unwarranted security procedures. Another survey, by IBM Security, found that 47% of people under 24 would rather have a faster sign-in experience than a more secure form of authentication. That same survey also found that the average American internet user is managing over 150 online accounts that require a password. The number is expected to rise to over 300 accounts in coming years.

Here’s what three industry pros say is causing some of the authentication disconnect for many credit unions — as well as how credit unions can overcome that disconnect and keep fraud at bay without driving members away.

Separate vendors, separate lives

One common source of authentication frustration stems from requiring members to have different logins and passwords for a credit union’s desktop online banking platform versus its mobile banking platform. That’s often a side-effect of having different vendors for mobile and desktop platforms, according to Andrew Wayman, who is vice president of digital banking at the digital banking technology company Kony DBX. It can be difficult to find a vendor that does it all, he noted.

“A lot of these companies…they’re very siloed. So you’ll go to one, and they only do mobile banking. Or you’ll go to another one, and they only do online banking. Sometimes you can get them to use a common authentication method or common set of credentials. But if they don’t do that, it becomes problematic,” he explained.

The result is completely separate authentication processing, which can mean different questions and answers or different one-time passwords, added Siva Narendra, who is CEO of Portland, Ore.-based digital security firm Tyfone. “Because these are two different platforms, the vendors don’t necessarily talk to each other. That’s not uncommon.”

Having separate vendors for desktop and mobile can also be less secure, Narendra added.

“Imagine digital services is like a castle. If I have one password for mobile and one password for online, I have two doors to the castle and I will protect both doors. Having two doors that can give me access to the castle actually makes the probability of compromise more, not less,” he explained. “If you want to have multiple doors, the way you want to have it is one door after another, not one door in parallel to another.”

To serve and protect

One way to avoid creating authentication frustration for members is to have the same vendor for mobile and desktop. But that can be harder than it looks.

Some vendor contracts can run five to eight years, which may put credit unions in a sticky two-vendor situation for a long time, Wayman noted. Negotiating shorter contracts and escape clauses for outdated technology can give credit unions a big advantage; inserting volume-based pricing incentives can be helpful, too — most online or mobile banking vendors don’t offer tiered pricing or price breaks for high volumes, he said.

Some credit unions may mistakenly think they’ve got the same vendor for their mobile and desktop platforms.

“You may have one contract to provide all channels but [it’s] implemented by two companies that they may own,” Narendra explained. “So, it looks like one contract, but the implementation is on different platforms, and that becomes very laborious. The user experience is difficult. Sometimes logins can be different; login authentication process can be different.”

New technology can turn the tide in authentication frustration. For example, most smartphones now have front-facing cameras, which has made facial recognition a more viable authentication method, Wayman noted.

Mobile and desktop won’t be the only platforms that need authenticating, either. Watch and voice technologies are rapidly becoming necessities, Narendra said.

Nonetheless, more desktop-using members may need two devices in order to login to their accounts.

Ken Otsuka, who is a CPA senior consultant for risk and compliance solutions at CUNA Mutual Group, said use of the mobile channel for out-of-band authentication is growing and that he’s seeing more credit unions starting to offer it. Out-of-band authentication uses a communication channel other than the channel being accessed to provide a second piece of identity proof. A member signing in via desktop might receive a one-time passcode via email, phone or text, for example.

However, email accounts, voice calls and texts can be hacked, redirected or affected by malware, Otsuka noted, which is why sending passcodes to apps is becoming a trend.

“A best-practice credit union wanting to adopt this out-of-band authentication method that leverages one-time passcode is to deploy a secure, fast-paced method by pushing that onetime passcode to the app that is residing on that member’s mobile device,” he said.

“Credit unions should not rely on one specific control like multifactor authentication,” he said. “I generally suggest that credit unions go farther and adopt out-of-band authentication — using a secure app-based method of pushing those one-time passcodes to the app — and a real-time fraud monitoring system that’s capable of identifying and stopping suspicious transactions.”

Whether credit unions adopt this technology often depends on whether their vendors can provide it, Otsuka noted.

Nonetheless, it’s unlikely the industry will return to the days when a username and password were all members needed to access their accounts or move money around.

“I’m a risk manager, so I’m a strong believer in protecting member accounts,” Otsuka said. “As a consumer, I would want my online account to be protected. Even if I have to jump through a hoop or two, I’m good with that.”