May 22, 2020 by Adam Malik
Consumers are actually open to —and even demanding — two-factor authentication safeguards such as biometrics for their online accounts, a new study has found.
Nearly three-quarters (72%) of Canadians would allow their bank to analyze behavioural biometrics, like typing speed, to secure their online financial information, according to a recent study by FICO, a company best known for providing credit scores, but which also analyzes data and security.
Almost two-thirds (64%) of survey respondents said they’d be happy to give their bank biometric information. Forty-three percent said they expect to set up biometric security features, such as a fingerprint scan, when opening an account.
“The data shows that Canadians are open to additional methodologies,” said Liz Lasher, vice president of fraud, financial crime, and cyber risk portfolio marketing at FICO. “So perhaps those innovations and additional security measures won’t be as painful or friction-causing as many organizations fear. The data is really compelling for businesses to show that they can increase their security innovations without fear of consumer backlash.”
Furthermore, while many Canadians still use a single password to manage their multiple online accounts, experts are encouraged by a rise in those using separate passwords.
FICO found that 37% of Canadians use separate passwords for each account they access. Another 22% use between two and five. But that leaves about 40% using just a single password.
And, continuing with bad password habits, 24% write their passwords in a notebook. “That gives me some heart palpitations, I have to say,” Lasher told Canadian Underwriter.
Another cause for concern is that only 16% use a password manager. “That also is of concern because the management of passwords in a secure and encrypted area is so critical to protection,” Lasher said. “When you start looking at the gold standard of using strong password generators, and using encrypted password managers, the further we can encourage people to do that, the better.”
Why the negative feelings towards passwords?
Although it’s the most common way to protect accounts, it’s not very user-friendly, Lasher said. People are asked to create longer and more complicated passwords that can be easily forgotten.
The good news is, Canadians are open to additional measures to protect their online accounts — something a broker’s commercial clients should be happy to hear, because it will reduce their risk of data breaches.
Since people have avoided going to banks’ bricks-and-mortar offices to avoid the spread of the novel coronavirus, digital payment options have become more common nowadays. A recent Payments Canada study showed 61% of Canadians are using bank ATMs less, 53% said they’re using contactless payment more, and 38% are using e-commerce platforms to get what they need more often than before the pandemic.
So with people using digital means to make purchases and manage finances, protecting that information is a top concern. Even using a so-called complicated password is often not enough, Lasher warned.
“It’s a bit of a misconception that if you use strong characters — like using an @ symbol instead of a lowercase ‘a’ — that you’ll be safe,” she said. “I think from a brute force attack standpoint, we’ve kind of perpetuated that misinformation — that having a ‘strong’ password like that is enough.”
That’s where additional layers of protection come into play. Where do people stand on two-factor authentification?
Given a choice between using a typical login and password combination, as opposed to other security options, only 43% chose the traditional way. Asked to pick from a list of alternatives, respondents chose a one-time passcode sent via SMS as their top pick (62%). Other results included a one-time code sent via email (58%), fingerprint scan (45%) and facial scan (23%).
What should commercial clients do? “You’re not going to be able to nail me down and say one is better than the rest, because the reality is layered control is going to help you be the most secure,” Lasher said. “There’s not going to be a magic bullet when it comes to authentication methodologies. It’s taking a risk-based approach to using different authentication methods such as biometrics, such as behavioural biometrics, one-time passcodes, where it’s appropriate.”
At the very least, companies shouldn’t be afraid to introduce such protections to their clients.
“Canadians seem really happy to work with organizations [and use] more innovative security features,” Lasher said.
Feature image by iStock.com/guvendemir