How First Citrus Bank got rid of employee passwords

The Florida bank rolled out passwordless authentication in February that relies on device biometrics of their smartphones.

1 2 Page 2
Page 2 of 2

What about typing patterns? "The industry is looking at assessing individuals based on key strong cadence -- the time you spend jumping between keys, and the time you spend lifting off keys," says Stuart Dobbie, product owner at Callsign, a London-based authentication vendor. "You might have a different typing pattern in the morning, or in the evening."

On smartphones, these patterns could involve the way that a person swipes across their screen or holds their phone. Creating this type of identification mechanism requires the ability to identify a person's usage patterns, patterns that are not only difficult to reverse-engineer but that are unique to particular applications.

More and more organizations are using these techniques, as well as other elements of user profiles such as location and known devices. European requirements for stronger authentication are driving adoption, he says, especially in the financial services. For the most part, these methods are layered on top of passwords for additional security, not replacing them. "Passwords are so heavily embedded across the Internet," Dobbie says. "It's not an insignificant thing to change." The new FIDO specifications, including WebAuthn, are creating a way in which that can happen. "But this has happened relatively recently," he says.

There are also other steps that a company can take to add security layers to its authentication process.

For example, at First Citrus, some actions cannot be performed by a single person. “Internally, we’re a firm believer in least permissions to get the job done,” says Kynion. “So, no one person has the ability to wire a million dollars to anyone, not even the CEO. Every single transaction where it creates a transfer of funds externally would require a second person to log in, so there’s a trail of activity to create and approve the transaction before it goes to the person who actually does the transaction.”

The bank is also paying attention to recent developments in user behavior analytics, he says. “If all of a sudden, they’re trying to go into folders that they’ve never gone into before, the heuristics will try to mitigate it by saving a record of it, or creating an alert,” he says. “That’s an intriguing possibility, but we’re not there yet.”

Copyright © 2019 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!