By Eric Renaud-Oracle on Feb 04, 2015
Author: Forest Yin
Security is a key business consideration to protect customer data and transactions, business secrets and intellectual property (IP) as well as ensure compliance with regulations. On the other hand, better user experience is critical as it attracts more customers with more transactions or enables employees to be more productive.
But how can you provide better user experience while at the same time enhance security?
Let’s take a look at a real-world example. A large bank used to provide mobile online banking through their browser applications. However, their customer rating of mobile online banking experience was well below the bank’s competitors. As mobile banking is becoming the most important channel of customer interaction, in order to better compete, the bank decided to provide a native mobile application for online banking.
However, mobile banking has inherently higher risk than traditional channels. For example, the device can be easily lost or stolen, and the password can be easily obtained through shoulder surfing. Given these challenges, stronger security is required for mobile access. But due to user experience considerations, the bank cannot require customers to register their devices or require customers to always use one-time-password (OTP) or other types of multi-factor-authentication (MFA), which may turn customers away.
Even the typical web username and password based login is inconvenient for mobile access.
To ensure tight security while providing excellent user experience, the bank implemented a solution with the following capabilities:
1. Initial setup process
a. When the customer first downloads and installs the native mobile banking application on a mobile device, the user registers the application with the backend server through user name and password authentication.
b. As this is the first time the device with the application is trying to connect to the backend, a one-time-password through email or SMS is sent to the user to further validate the user.
c. Once the user is validated upon application registration, the device fingerprint is taken automatically to register the device for the user.
d. The user can then set up a 4- to 6-digit pin for their future online banking access.
2. Online banking experience after initial setup
a. The user launches the mobile app on the mobile device with a pin.
b. To look up an account balance, no further user authentication is needed if the device fingerprint is validated (automatically in the background).
c. Banking transactions such as money transfers require a pin-based authentication without the need for username-password authentication.
3. Risk control and adaptive authentication. Although the banking experience above is a typical user experience for majority of customers most of the time, the solution is monitoring and analyzing risk based on real-time context such as device, location, transaction amount, frequency, etc., based on defined policies and access patterns. If the risk is deemed high, the user may be required to further authenticate using OTP or Knowledge Based Authentication (KBA) or in some cases the user may be denied access altogether.
With the launch of native-application-based online banking and the excellent user experience provided, the bank’s new mobile online banking service gained wide adoption and the bank’s service rating increased substantially.
The key to balancing security with user experience is an intelligent Access Management solution that understands real-time risk and context and accordingly takes adaptive actions. For example, we all know that passwords are not safe enough. However, it is not practical to require all consumers or even all employees to use MFA all the time due to experience and adoption issues. Security and user experience can be balanced through an intelligent security system.
Users appreciate the fact that they can continue
to use passwords as they
always have and will only be challenged further with MFA when risk is high.
In future blogs, we will talk about how Oracle Access Management can intelligently provide context-aware, content-aware and risk-aware access to simplify user experience, so please stay tuned.
About the Author
||Forest Yin is the Senior Director of Product Management for Oracle Access Management and Directory Services product lines. Forest has been in the identity management industry for almost 15 years starting with Netegrity.|
|THE AUTHOR can be reached via LinkedIn|