1. Provide an overview
The term 'authentication' refers to the process of confirming a person's or entity's identification. The authentication procedure is one approach used to control access to corporate customer accounts and transaction processing in the realm of corporate e-banking systems. Corporate customer users are often required to provide legitimate identifying data, as well as one or more authentication credentials (factors) to authenticate their identity.
User ID/passwords or some type of user ID/token device can be used as customer identification. A secret or unique piece of information related to a specific customer identity that is used to validate that identity is called an authentication factor (e.g., PIN, password, and token response algorithm).
Customers are typically authenticated by requiring them to produce some type of proof of identity. One or more of the following authentication factors can be used:
Something that a person is aware of, such as a password or PIN. Access is allowed if the user types in the proper password or PIN.
Something a person possesses is usually a tangible object known as a token. Self-contained devices that must be physically linked to a computer or devices with a small screen on which a one-time password (OTP) is displayed or can be created after entering a PIN, which the user must enter to be authorized, are examples of tokens.
A physical trait, such as a fingerprint, identifies a person. This sort of authentication is known as "biometrics," and it frequently necessitates the installation of specialized hardware on the system in question.
There are a variety of authentication methods available, ranging from simple to complicated. The level of security given varies depending on the technique utilized and how it is implemented. Multifactor authentication verifies a customer's identification and allows a corporate e-banking user to authorize payments by combining two or more elements. Multiple-factor authentication approaches are more difficult to hack and should be considered in high-risk circumstances. The integrity of the chosen product or process, as well as the manner in which it is deployed and managed, determine the effectiveness of a given authentication technique.
'Something a person is,' says the narrator.
Biometric technologies use a physiological characteristic to identify or authenticate a living person's identification (something a person is). Fingerprints, iris arrangement, and face structure are examples of physiological traits. Enrollment is the procedure for adding people to a biometrics-based system. Enrollment involves taking samples of data from one or more physiological features, converting the samples into a mathematical model, or template, and registering the template in a database where a software application can perform analysis.
Customers interact with the biometrics technology's live-scan process once they've been enrolled. The customer is identified and authenticated via a live scan. The outcomes of a live scan, such as a fingerprint, are compared to the system's registered templates. If a match is found, the customer is verified and permitted access.
A biometric identifier, such as a fingerprint, can be used in conjunction with a password (something the user knows) or a token as part of a multifactor authentication system (something a person has). Currently, most banks in Pakistan utilize two-factor authentication, which includes a PIN and a token in addition to a user ID.
The minutiae, which are the ridge ends and bifurcations or branches in the fingerprint ridges, are analyzed by fingerprint identification technologies, as well as the global pattern schemata on the fingerprint. The richness of the data retrieved from fingerprints explains why fingerprints are such a dependable technique of identification. Images of actual fingerprints are not stored by fingerprint recognition systems; only data detailing the specific fingerprint minutiae is saved.
Banks in Pakistan that offer their consumers Internet-based products and services should utilize effective techniques for high-risk transactions including access to customer information, the transfer of funds to third parties, or any other financial transaction. Banks should use authentication mechanisms that are appropriate for the risks involved with those products and services. Single-factor (e.g. ID/password) authentication is routinely exploited, resulting in account fraud and identity theft. When risk assessments show that single-factor authentication is insufficient, institutions should adopt multifactor authentication, layered security, or other reasonable procedures to minimize such risks.
Although several banks, particularly the larger international institutions, have begun to adopt two-factor authentication, further precautions must be taken to avoid any unforeseen scenarios that could result in financial loss and damage to the bank's reputation.
To verify consumers, banks utilize a number of technologies and approaches. Customer passwords, personal identification numbers (PINs), digital certificates employing a public key infrastructure (PKI), and physical devices like smart cards, one-time passwords (OTPs), USB plug-ins, or other sorts of tokens are all examples of these methods.
Biometric identification, in addition to these technologies, can be an added benefit for two-factor authentication:
a) as an extra layer of protection
b) budget-friendly
Existing authentication methods in Pakistani banks are based on two factors:
i. Something the user is aware of (e.g. password, PIN)
ii. Something that the user possesses (e.g. smart card, token)
In addition to the above, this study research proposes the use of a biometric layer, such as a fingerprint, in conjunction with the above.
As a result of this, we get the following authentication methodologies:
i. Something the user is aware of (e.g. password, PIN)
ii. Something that the user possesses (e.g. smart card, token)
iii. Something the user is interested in (e.g. biometric characteristic, such as a fingerprint)
The success of an authentication system is determined by factors other than technology. Appropriate rules, processes, and controls are also required. Customer acceptance, dependable performance, scalability to handle growth, and interoperability with existing systems and future plans are all important characteristics of an effective authentication technique.
2. Research Methodology
The methods used in this paper are based on a two-step process. First, because of my previous experience working in a big multinational bank's Cash Management department, where I implemented electronic banking solutions for corporate clients within Pakistan and beyond regions.
Second, consulting and interviewing people who work in Cash Management departments of other banks in Pakistan and the Middle East to gain a deeper grasp of the technology utilized in the industry, as well as its benefits and implications for successful deployments.
3. Pakistani implementation
This section will discuss the implementation of Biometric Payment Authentication (BPA), which is a biometric characteristic such as a fingerprint for authorizing financial transactions on corporate e-Banking platforms in Pakistan. The first is a descriptive analysis, followed by a cost-benefit analysis for using the proposed methodology.
Fingerprint scanners are now widely available on practically every laptop, or a stand-alone scanning device can be connected to a computer, thanks to advances in technology. With the introduction of smartphones, fingerprint scanners are now available on phones as well (e.g. Apple iPhone, Samsung mobile sets, etc)
End consumers in Pakistan should have no issue using a fingerprint-scanning device on a laptop or smartphone because banks implementing this technology are responsible for all work.
Aside from that, Pakistan is an ideal place for biometrics-based authentication because:
a. CNICs are issued after biometric data, particularly fingerprints is collected from citizens.
b. Before issuing a SIM card, telco providers must keep track of and confirm an individual's fingerprints.
These instances demonstrate that the biometrics (fingerprints) methodology is already familiar and comfortable with a big portion of Pakistan's population. Banks, on the other hand, must create their e-banking portal or application to accommodate and accept fingerprints for corporate users. For either login or financial transaction authentication, the e-banking portal would use the end user's fingerprint device. Enrollment can be done remotely, using the first-time login into the e-banking platform after receiving setup instructions and passwords, or in person at the bank's customer care center.
This article advises Pakistani banks to use multifactor authentication using PINs and fingerprints. Fingerprints are distinct and complicated enough to serve as a reliable authentication template. The accuracy of using multiple fingerprints from the same person is improved. Among the different biometric methods of identification, fingerprint identification technologies are among the most advanced and accurate.
Let's talk about the financial advantages of employing PINs and fingerprints for authentication instead of token devices. Before we get into the numbers, let's have a look at the present process of token inventory ordering, delivery, and maintenance in the event that a token is missing or broken.
'VASCO Data Security International Inc.' is a US-based company that most banks in Pakistan order and import tokens from. When an order is placed, the VASCO ships the token to the ordering bank, which receives the tokens when customs duties are cleared. Banks settle VASCO invoices by returning the money via external transfer, together with the courier fees. Banks then initialize the token and issue it to an end-user after receiving a written request from a customer. The token is delivered to the end-user, and training is provided over the phone or in-person at the customer's workplace by a bank employee. Any tokens that are lost or become faulty are replaced with fresh ones and resent to end-users. If an end-user resigns from their company or is transferred to a position that does not entail banking or the usage of an e-banking platform, tokens are returned to the bank.
Theoretically, it appears to be rather straightforward, but in practice, these are time-consuming operations with costs associated with each of the steps listed above.
Let's now calculate the costs connected with the above actions and create some data so that cost-benefit analysis may be performed.
Currently, several banks in Pakistan have implemented fingerprint recognition technology to identify ATM users and are in the process of eliminating the requirement for an ATM card, which will save banks money in the long run by reducing the expense of replacing lost or stolen cards.
Cost calculations are estimates and should not be used for budgeting purposes.
Descriptive Statistics (3.1)
The following data provide the descriptive statistics for token inventory ordering, delivery to end users, and maintenance if a token is lost or damaged (numbers based on around 1000 tokens consumed per year per bank).
Statistics that are descriptive in nature
Tokens cost 15,000 USD (1000 tokens) (1,569,000PKR)
4.610USD in customs duty (482,206PKR)
922USD Courier to End User (96,441PKR)
7376 dollars for training (771,530PKR)
27908 USD total (2,919,177PKR)
According to the above statistics, a single bank spends around 28000 USD on tokens, which can easily be saved if the token is replaced by fingerprints. It not only saves bank money, but it also makes administration and maintenance easier for them.
4. Grid for Change Management
"Getting to Know the Problem" is the first stage.
(Thinking/Understanding) Mindset
a. Currently, banks spend a lot of money on physical tokens, which can be easily avoided by employing biometric methods like fingerprints.
Emotional/Intuitive Dynamics of Motivation
a. The existing process of ordering tokens requires time and money to reach banks. End-users must then receive appropriate instruction on how to activate and use token devices. Banks also have a lot of maintenance to do. Because biometric scanners are readily available on laptops and smartphones, this new modification can be implemented quickly and at a low cost. End users won't have to remember as many passwords, and they won't have to carry their physical devices around with them all of the time.
The way you act (Capability)
a. Banks in Pakistan should be visited, and adequate presentations should be given to their I.T. teams about this simple and secure technology, to their finance teams about cost savings, and to their operations teams about decreasing maintenance costs.
b. Demonstrations will be held to demonstrate how this innovative technology can help banks in real-time.
b. Instead of using physical tokens, end users will have to log in or authenticate transactions using their fingerprints.
"Working through the Change" is the second stage.
(Thinking/Understanding) Mindset
a. Biometric authentication will assist banks in lowering costs and streamlining operations. This technology will also make day-to-day e-banking activities easier for end consumers. The bank's concerned team will receive proper training. The fingerprint enrolment will also be guided by the end-user.
Emotional/Intuitive Dynamics of Motivation
a. Banks must first invest in this new technology, but it will eventually save them money on recurring costs and operational upkeep.
b. End users will no longer need to carry any devices and will be able to conduct banking transactions with the touch of a finger.
The way you act (Capability)
a. Post-implementation reviews will assist banks in obtaining input from customers who have begun utilizing the new technology, as well as client experience, which will assist banks in improving their offering.
b. Thanks to fingerprint technology, business customers will no longer have to pay extra for token requests.
"Attaining and Maintaining Improvement" is the third stage.
(Thinking/Understanding) Mindset
a. Banks should hold client experience forums to help them with customer feedback and to get fresh ideas for future improvements.
b. Banks should revise their staff' Departmental Operating Instructions (DOI), highlighting their duties and responsibilities in light of the new technology.
Emotional/Intuitive Dynamics of Motivation
a. Banks can run a reward campaign for workers who successfully transition e-banking users from tokens to fingerprints.
b. Customers could potentially be granted fee waivers as part of a campaign for using this technology.
The way you act (Capability)
a. Any new or existing bank staff will get training and retraining to stress the benefits of biometric authentication.
b. By sending monthly product brochures and short films on trainings, customers can be retrained or updated on this technology.
c. All clients will receive quarterly feedback to measure their biometric authentication expertise and gain fresh ideas for future developments.
5. Observing and evaluating
Banks, as a service-oriented industry, are always focused on putting the customer first. Consumer feedback will be obtained through client experience forums, and any issues will be addressed by close follow-ups, with final feedback obtained from the customer once the issue has been resolved.
After the new biometric technique has been deployed, a post-implementation review will provide a clearer image of the new biometric approach and provide more viewpoints for future enhancements.
6. Final thoughts
The goal of this study is to see if corporate e-banking platform users' physical tokens can be replaced with their fingerprints for e-banking channel login and financial transaction authentication. The findings of this study show that this new technology will benefit banks not just in terms of cost and maintenance, but will also provide corporate end-users with the piece of mind of not having to remember too many passwords or carrying the physical token with them wherever they go.
0 Comments