Phishing-Resistant Multi-Factor Authentication in Finance

Picture of John Bridge

As the financial industry faces significant security risks, account takeover and account origination fraud have become increasingly prevalent. Implementing robust phishing-resistant multi-factor authentication (MFA) processes can help mitigate these fraudulent activities. 


What is Phishing-resistant MFA?

Phishing-resistant MFA refers to authentication methods that are difficult for cybercriminals to compromise through social engineering or phishing attacks. By incorporating these secure practices, financial institutions can effectively protect their customers and their own systems.

There are a myriad of cyber crimes that may be mitigated with the implementation of phishing-resistant multi-factor authentication.  Among the more common types of fraud are password-based attacks, account takeover fraud, and new account fraud (including identity theft and synthetic identity fraud).  These crimes can all be mitigated with the implementation of robust authentication.

Phishing-resistant MFA builds upon the foundation of three primary identity validation factors: something a user knows, has, and "is." By using a combination of knowledge-based, possession-based, and inherence-based authentication factors, phishing-resistant MFA offers a robust and secure authentication process. In doing so, it can prevent password-based attacks, protect against account takeovers, and reduce the likelihood of new account fraud.


Why Financial Institutions need Phishing-resistant MFA

Fraudsters are constantly looking for ways to access financial information and personal data, and they are becoming more sophisticated in their methods. Phishing-resistant MFA is one of the most effective ways to mitigate security risks in finance and banking without significantly increasing friction.  Here are some of the ways that multi-factor authentication (MFA) can reduce security risks in banking:


1. MFA Protects Against Password-Based Attacks


One of the most common forms of cyberattack is the use of stolen or weak passwords. Many users have a tendency to reuse passwords or choose easily guessable ones, which can make their accounts vulnerable to attacks. Password-based attacks include:

  • Phishing: In a phishing attack, fraudsters attempt to trick users into revealing not only their login credentials but, increasingly, also their one-time passwords (OTPs). Cybercriminals may create convincing fake websites or emails, prompting users to enter their OTPs alongside their usernames and password. Phishing-resistant MFA helps protect against this by incorporating authentication methods that are difficult for attackers to compromise through social engineering or phishing attacks, such as hardware security tokens, mobile-based authentication apps, or biometric authentication
    Even if a user falls for a phishing scam and gives away their password and OTP, phishing-resistant MFA ensures that the attacker still cannot access the account without the additional, more secure authentication factor, significantly increasing the difficulty of unauthorized access.
  • Brute force attacks: In a brute force attack, an attacker attempts to guess a user's password by trying many different combinations. MFA can prevent this type of attack by requiring an additional factor of authentication, such as a biometric identifier.
  • Credential stuffing: In a credential stuffing attack, attackers use stolen username and password combinations from one system to try to gain access to another system. MFA can prevent this type of attack by requiring a second factor of authentication, making it much more difficult for an attacker to gain access to a system using only a stolen password.

2. MFA Prevents Account Takeovers


Account takeovers occur when a fraudster gains access to a user's account by stealing their login credentials or by using other means to bypass security measures. Some examples of how MFA can prevent account takeover fraud include:

  • Adding an additional layer of security: MFA requires users to provide at least two forms of identification. This makes it more difficult for attackers to gain access to a user's account even if they have stolen the user's password.
  • Detecting and preventing unauthorized access: With MFA, if an attacker tries to access a user's account, the additional factor of authentication required by MFA will prevent them from logging in. This will alert the user that someone is trying to gain access to their account and can also alert the service provider to take action to block the attacker.
  • Mitigating the risk from password reuse: Many people reuse the same password across multiple accounts, which can make it easier for attackers to gain access to multiple accounts with a single stolen password. MFA can help mitigate this risk by requiring an additional form of authentication beyond just the password, making it more difficult for an attacker to gain access to multiple accounts even with a stolen password.

3. MFA Reduces New Account Fraud


MFA can also help reduce fraud by making it more difficult for fraudsters to impersonate legitimate users or create accounts using synthetic identities. By requiring additional forms of authentication, MFA can verify the user's identity more thoroughly, which makes it more difficult for fraudsters to bypass security measures and carry out fraudulent transactions.

With multi-factor authentication, requiring a biometric factor can mitigate identity theft as well as synthetic identity creation.  Matching new enrollments biometrically against previous enrollments assists in detecting identity theft and synthetic identity creation.  When biometric data matches but does not correlate to existing identity information, synthetic identity can be flagged for further review by investigators.  Conversely, when identity information matches a previous enrollment but the biometric information is mismatched, the application may be flagged as potential identity fraud.

MFA during new account opening provides an additional layer of security that makes it more difficult for attackers to impersonate a legitimate user or create multiple synthetic accounts, helping to prevent impersonation fraud and protect sensitive information.


4. MFA Enhances Customer Trust


Customers place a high value on security when it comes to financial transactions. By implementing MFA, financial institutions can show their commitment to security and gain the trust of their customers. This can lead to increased customer loyalty and satisfaction, as well as a better reputation for the institution.

The combination of enhanced security, reduced risk of account takeover fraud, protection against identity theft, and prevention of password-based attacks provide customers with a sense of security when accessing their accounts.  When implemented properly, limited friction can enhance the user experience while increasing account security. 


The Takeaway

Multi-factor authentication (MFA) is an essential security measure for financial institutions and the banking industry. By requiring additional forms of authentication, MFA can significantly reduce the risk of unauthorized access, prevent account takeovers, reduce fraud, and enhance customer trust. As cyberattacks become more sophisticated, financial institutions must take proactive steps to protect their customers and their own security, and phishing-resistant MFA is an effective way to do so.

Learn how Trust Stamp’s advanced digital identity solutions, including Biometric Multi-Factor Authentication (MFA) can safeguard the financial services and banking sectors from cyber threats.


John Bridge is President, Government Security at Trust Stamp following a 25 year career with the US Marshals Service. John is an active advocate of fraud prevention and mitigation of human trafficking.

Great updates

Sign up for new blog updates today!