crossmatch logo

The skinny on authentication methods:
the good, the bad, and the obvious

Bank Authentication Security Challenges: Where We’ve Come

You may be surprised to learn that banks were far ahead of the curve in authentication security. The world’s first ATMs appeared in the 1960s and combined something people had (either a card or a special slip of paper) with something people knew (an access code) to authenticate bank customers and dispense cash. This was probably the first automated, customer-facing use of Multifactor Authentication (MFA) ever. The tried-and-true debit card and PIN combo used by nearly all modern ATMs shows how little things have changed since that initial foray into automated banking.

But how do the advancements of yesteryear compare to today’s commercial banking environment? In-house users have to be authenticated too, and the needs of employees differ from those of customers. With the threat of breach emerging on both sides of the desk, organizations have to be strategic in how they employ authentication. Passwords will likely never disappear, but they’re being overtaken or supplemented by other forms of authentication. Check out some of the advantages and disadvantages of authentication methods that banks and credit unions are working with today:

Password image

1 / 8

Password / PIN

Passwords and PINs are the oldest authentication methods around. Knowing a secret passcode probably got you into cardboard clubhouses as a kid, and it probably still gets you into almost all of your accounts. So retro! Unfortunately, it’s also the most widely stolen and exploited form of authentication there is.

Advantages: Familiar to all users, versatile, low cost & infrastructure requirements, the “de-facto” authentication method

Disadvantages: Dangerously weak when used alone, easy to obtain by social engineering hacks, draconian policies for enforcing password quality can cause user fatigue, the root of many high-profile breaches

Email photo

2 / 8

Temporary Password

An oldie but a goodie, a temporary password sent via email continues to be widely used as backup authentication. Little explanation is needed, but here it is: the login event (usually password-based) generates an email containing a one-time password string sent to a designated account holder or user. The code authenticates the login and may also prompt users to create a new ‘permanent’ password. It’s a little time-consuming, but hey—at least it’s familiar.

Advantages: Familiar to most users, adds a layer of security to password authentication, low cost & infrastructure requirements, no need for a separate device, one-time codes can’t be used again, appropriate for customers & employees alike

Disadvantages: Email accounts are potentially vulnerable or inaccessible due to careless users, more inconvenient than other methods, still hinges on a password-based login

App-generated password image

3 / 8

Push OTP

Thanks to today’s mobile-happy population, customers and employees alike are rarely out of reach of their mobile phones. A one-time password (OTP) is typically created as a response to a password-based login. With the mobile app open, users key in this single-use string to log in. It’s secure, but there’s a caveat: if employees or customers don’t have their own authentication measures in place on their phones, this method makes phones an even more attractive target for theft by cybercriminals.

Advantages: Can strengthen password-based logins, simple, one-time codes can’t be stolen, appropriate for customers & employees alike

Disadvantages: Derailment due to a forgotten or lost phone can translate to increased IT burden, gaps in service caused by connectivity issues, theft of unsecured phones contributing to breaches, potentially incompatible with legacy systems

Contextual image

4 / 8

Contextual Step-Up

Contextual authentication requires no input from the user and instead uses contextual items (location, IP address, network used, etc.) to make a probability-based judgment about the identity of the user. While contextual authentication can’t stand alone, it’s a useful additional measure that can prevent breach by heading off access from foreign countries or new IP addresses. Typically, contextual authentication will present additional identity challenges when certain conditions are not met. So, if a user habitually accesses his account from Palm Beach County and travels to Singapore, it doesn’t mean he’ll be locked out during travel. He’ll just need to jump through one more hoop to prove it’s him. Good news for travelers—bad news for overseas hackers.

Advantages: Can head off malicious actors in other countries (where many breaches originate), works behind the scenes, appropriate for both customers & employees, built into many other authentication methods

Disadvantages: Can create hassles for those who are away from usual workstations, needs other factors (besides passwords) to support ideal functionality, vulnerable to IP & location spoofing

Proximity-based image

5 / 8


A type of contextual authentication, proximity-based authentication uses near field communication or Bluetooth on a mobile phone, smart card, or token device to authenticate an associated account on a system nearby. Unlike an app-generated code, there’s no need to key anything in with proximity-based authentication. The device must simply be nearby to utilize its short-range communication capabilities, and voila! Do note that the functionality of proximity-based authentication devices can vary widely.

Advantages: Can strengthen password-based logins, no user input necessary, very hard to spoof

Disadvantages: Forgotten or lost tokens require IT involvement, theft of the token or phone may result in breach, no way to verify proof of presence with proximity alone, expensive & impractical for customer use, potentially incompatible with legacy systems

Biometric image

6 / 8

Physiological Biometrics

Biometric authentication relies on personal features that are unique to a specific user. The most iconic and widely-used method of biometric authentication is the finger swipe. This common, convenient addition to back-office systems layers comfortably on top of or in lieu of passwords. With the advent of widespread mobile biometrics, this form of authentication is making its way to retail banking customers, as well. For example, USAA’s 2015 deployment of face, voice, and fingerprint scanning options in lieu of a password was quickly adopted by over a million users, who voiced their relief at leaving behind the tyranny of the alphanumeric password.

Advantages: Can be the main factor in place of password logins, arguably the strongest factor, convenient for users, fast, highly secure when biometric data is properly encrypted, appropriate for customers and employees alike, compliant with regulatory requirements for use of multifactor authentication.

Disadvantages: Some employees & customers may balk because of privacy concerns, can be expensive (but not always), lots of options (yes, too much choice can be a disadvantage, too)

Behavioral biometrics

7 / 8

Behavioral Biometrics

Behavioral biometric authentication evaluates how users interact with the system to determine if they’re really who they say they are. Usually executed during password-based logons, this behind-the-scenes factor measures and verifies a user’s unique keystroke cadence, mouse movements, touch pressure (if on mobile) and other aspects of system interaction against a set user profile. From there, the system determines whether the person currently typing, tapping, or clicking checks out, or if another authentication challenge may be needed. Futuristic stuff, right? It’s surprisingly fast to enroll a user – i.e., to create a highly accurate behavioral profile that even grows smarter over time.

Advantages: Totally behind-the scenes, great support for password logins, no user burden whatsoever, extremely hard to spoof, appropriate for customers & employees alike

Disadvantages: Profiles must be established before systems are effective, can be expensive, needs other factors (besides passwords) to support ideal functionality, still very new & evolving

Push OTP image

8 / 8

The Upshot

Remember, authentication methods are at their most effective when they play together well and reinforce a multi-faceted approach to security. Look for an authentication solution that meshes well with your existing workflows, allows for flexibility in factors, and doesn’t present a huge infrastructure burden.

This content has been brought to you by Crossmatch®. Crossmatch is a leading provider of hardware and software solutions, including DigitalPersona® Composite Authentication, that solve the identity management challenges of hundreds of millions of users around the world. To learn more, visit

Don’t Miss Out.

Sign up on the right to get notified when more content goes live: