Are authentication devices the best way to verify large transactions?

As wire transfer fraud continues to lead to losses for banks and their customers, an evergreen question is, what is the best way to block such scams?

Oftentimes, a scammer poses as a high-ranking company official and gets another executive to approve a large wire transfer through what's called a business email compromise attack. According to the FBI, in 2021, BEC schemes resulted in 19,954 complaints that led to losses of about $2.4 billion.

In the latest answer to this problem, the cybersecurity technology company OneSpan has developed a new hardware identity verification device that lets a user at a bank or corporate client see the details of a transaction and confirm or reject it before the money is sent. The company says this gives stronger authentication, while competitors question the merits of dedicated security devices in a world where cellphones satisfy many of the same functions.

OneSpan's new line of hardware authentication devices, named Digipass CX, are cloud-connected to enable enterprises to activate new features, customize user journeys, and modify configurations or security parameters.

While stand-alone hardware security devices such as the Digipass CX line have their upsides, banks also have a large slate of phone and computer applications from which to select to get many of the same features Digipass CX offers, without the cost of another device. OneSpan offers such applications, as do companies including Okta, One Identity, Microsoft and Oracle.

So, why would a bank go with a standalone hardware authentication device rather than a phone with a fingerprint sensor or facial ID capabilities? According to Michael Klieman, OneSpan's chief product officer, the additional security of a hardware device is exactly what some financial institutions want.

"Inside of an organization, you have the chief financial officer, the chief accounting officer, the head of treasury — they are the targets of spear-phishing attacks that are specifically designed to trick them into driving transactions that are not actually authorized," Klieman said. "Having a physical security device as part of the workflow is the solution."

OneSpan said in its earnings statement Tuesday that its Digipass line of products had the highest number of bookings in the third quarter of any in the past three years. Klieman pointed to this as evidence that, even though authentication using mobile devices is the right solution for many use cases, hardware authentication has a growing place in the market.

Part of the reason for this increasing interest may be that hardware authentication is a strong (though imperfect) defense against phishing, SIM hacking, and other attacks that exploit weaknesses in lesser forms of multi-factor authentication such as app-generated one-time passwords sent by text message or email. These forms of authentication face greater challenges as threat actors develop increasingly sophisticated ways of exploiting them.

According to Matthew Gibson, CEO of the e-signature company Syngrafii, there are better options than using a stand-alone security device for authentication. He said the fingerprint and facial identity protections on phones are sufficient to keep even highly capable actors out of the devices, which protects authentication processes involving, for example, device tokens or on-device keys.

"Even with the full resources of the Federal Bureau of Investigation at its disposal, it remains largely challenging to access most phones without the assistance of the manufacturer," Gibson said.

According to Gibson, using a phone in place of a stand-alone security device also ensures that it is with the rightful owner at all times, or at least it becomes immediately obvious when it is not. He added that many phones give users the ability to locate their lost phone using a friend or family member's device, or to remotely wipe the device in extreme circumstances if they are connected to the cellular network.

"A cellphone when coupled with a wide variety of specialized apps will control the market, as opposed to people reverting to external hardware authentication devices — which the majority of banks have abandoned due to cost and security considerations — in favor of secure in-app password generators to access accounts and authorize transactions," Gibson said. "For certain high-value transactions either in-person or video-enabled remote signing rooms are still required by banks and other organizations, and neither an app- generated transaction nor an external hardware authentication device will suffice."

Nonetheless, Klieman says Digipass CX will find its place in the market. The company already provides hardware security devices and counts "60% of the world's largest financial institutions" as customers, according to OneSpan CEO Matthew Moynahan.

"Solutions based on legacy hardware devices are no longer relevant today because they do not provide continuous and connected security, and they are not woven throughout the entire transaction journey," Moynahan said in the product announcement. "That's why current solutions won't stand up in the era of Web 3.0. We aren't securing endpoints anymore; we are securing digital processes and customer interactions requiring continuous authentication and identity verification — no matter where that interaction takes place."