You want to know that the person you’re dealing with really is who they say they are. You do, and this is why an up-to-date secure customer authentication method is the cleverest of business strategies.

Saying it like it is – companies and organizations that continue to depend on passwords alone as their first method of identity verification are seriously negligent. It is not just about the disaster that come in the wake of a security breach, it’s also about owning up to your promise to keep your customers safe. We’d like to disentangle how you can remedy this slip without overloading yourself, your users, customers or workforce.

Three simple advice to convince your users of the benefits of MFA
You want to know that the person you’re dealing with really is who they say they are.

Nobody wants to be the prey of identity thieves

You can no longer dispute that there are severe security vulnerabilities that come with the evolvement of third-party payments services, connected IoT-devices, or the already known problems with unsecure public WIFIs as well as BYOD (Bring Your Own Device) policies in workplaces. This is the constant headache for IT-professionals and management in most industries providing digital services today (and honestly, what company doesn’t?).

By basing your cyber protection strategy on watertight verification of the user underlaid by smart, tested multi factor MFA-tools that authenticates and grants your customer access to systems and services you are well on your way! This can be done in many ways, of which the worst is using many different tools for mobile identity management as cost and complexity can quickly spiral out of control.

Is MFA really necessary, and if so, how do I get my customers onboard?

People nowadays have colossal amounts of online accounts for banking, social media, digital utility tools, health records – the list goes on and on. By illustrating and communicating the need for identification, authentication and verification on a basic level you can help your users to better understand why MFA is so crucial. Here’s some bullets on how to break it down in a way that makes sense to the average user.

  1. Explain multi-factor authentication to your customers/users very basically
    It takes just one carelessly crafted password to invite an attack – it’s just like leaving the door open and unlocked when you go to work. In worst case, depending on what is stored in the account, sensitive data like credit card numbers, passwords recklessly stored in a text file on Google Drive, pincodes or just fraudulent emails can result in a person’s entire identity is hijacked. Inform your users that this can happen everywhere, anywhere, on any account.
  2. Be persistent and provide plenty of support, guides and information. 
    Change is often tough and convincing a user to trust a new app doesn’t come easy. By being open and giving the users all the support they need, easy-to-read manuals you could win your customers over. Even better – by choosing a security app that you can white label makes the transition easier as the customers sees that the app comes from a familiar and trusted source (you).
  3. Make it easy 
    The best way to convince your users of the benefits of multifactor-factor authentication is to supply them with an all-in-one mobile app that authenticates, verifies, and grants the user access. Choose an app that provides MFA with as little hassle as possible.As with everything, there are learning curves to implementing MFA. Everyone may not understand the necessity for it, but once implemented the benefits outweighs any and all potential drawbacks and protects everything – whether it be identity, data, or money.As for which app to use, Covr offers a lean user experience backed by a company with a exemplary security record!

Digital payment and online banking are all about striking the right balance between customer convenience and security. People expect it to be easy, so a complicated authentication process will turn them away. Luckily, onboarding users with COVR’s Multi-Factor Authentication API is not a problem. With this API, they can authenticate their payment directly from their smartphone without interrupting their flow.

COVR’s Multi-Factor Authentication API enables fast and convenient user authentication on smartphones. It keeps you and your users protected from all types of fraud and impostor activity, like identity theft, credit card hijacking, skimming and phishing. Even in risky settings like public wifi and unknown, unprotected networks. The API facilitates compliance, user retention and growth by providing stable and secure authentication and supporting user-friendly onboarding.

The Multi-Factor Authentication API is designed to help you to:

1. Comply with laws against money laundering, financial crime and enhanced privacy for individuals.

2. Defend and protect from online fraud and identity theft.

3. Facilitate people’s expectations on convenient, fast, secure signup and account login experiences.

Upgrade security with user-powered control and push notifications

Enable your end-users to actively protect their digital identity. With the Multi-Factor Authentication API, they control what information they share and with whom.

Thanks to push notifications instead of passwords, the onboarding and login process are a piece of cake. Once the user has logged in, the in-app verification alerts give the user the option to accept or deny authorization with a single tap. 

One solution for every authentication scenario

COVR’s API is developed for any industry in need of strong end-user authentication and can be applied throughout all user groups – employees, end-users and third-parties. It works seamlessly across all platforms, applications and use cases. It also lets you authenticate end-users and authorize access throughout all of your business applications quickly.

The unique benefits

1. Benefit from passwordless authentication to access to sensitive information and money transactions.

2. Activate two or more authentication methods to protect your users from every threat.

3. Authenticate and onboard users with QR codes for a smooth end-user experience.

4. Allow users to authenticate themselves to sign contracts, loans and other legal documents.

Fast implementation, scalable and cost-efficient

COVR needs a minimum of infrastructure to scale for unlimited users simultaneously and plugs into existing systems with minimal modification. There’s no need for additional, expensive hardware.

Credit card security

Does your company issue credit cards? Then you know it’s a complicated process for both customer and issuer to re-approve a transaction that has been denied. It involves phone calls, security questions, identity document verifications or other payment methods.

With the Multi-Factor Authentication API, you can allow the credit cardholders to authorize the transaction themselves. This eliminates the problem with payment rejection and false-positive denials. Every smartphone can be reached by the bank in seconds, anywhere in the world. It is also registered to send authorization request push notifications with a response time of a couple of seconds. The result: seamless card transactions, and fully trusted, accepted purchases – both by the bank and its customers.

Reusable identity validation and account recovery

Dealing with stolen credit cards, lost smartphones or hacked accounts? Recovering all the lost data from each online service could be a lengthy and costly task.

With this API, recovery processes run fast, easy and secure. After a new identity verification is done, COVR can reconnect the user with their existing digital identity. Including all their history, transactions and various accounts. As nothing is ever lost, the user can continue to build their online reputation. 

We have been using passwords and codes for hundreds of years, but still, it seems like our security thinking hasn’t evolved at all.

People want an ultra-low-friction mobile payment experience that says yes to a lickety-split transaction, with a minimum of taps and without the extra hoo-ha.

Pay on the go, wherever you are, is the catchphrase of today. This is the inevitable reality so let’s take a second to untangle some of the pitfalls and opportunities for banks to get on top of this development.

In-app purchasing, person-to-person payments and e-wallets are all results of consumers’ relentless demand for instant access to their money. Needless to say, this is why the most convenient and readily available device of them all – the smartphone – is becoming the payment channel of choice. Sending money to friends and family, shopping or doing day-to-day things like paying a bill inside various apps are all examples of consumer behaviours that are taking off in a phenomenal way. 

“Tap-sign-done”

It’s no longer just well known online payment services like PayPal, Google Wallet and Apple Pay (that have been around long enough to earn trust) that are competing for a piece of the mobile instant payments pie. Thanks to the revised payment services directive (PSD2), the entire payment services ecosystem have entered the race and offer competitive-edge and value-added “overlay” payments that boost consumer instant access. Whether it’s game-changing players like Square, Klarna, Paym and Dwolla or run-of-the-mill banks, the potential success stands and falls with a combination of convenience and security.

The educated guess would be that as long as people can stay secure, they will take the path of least resistance. But convenience will only go so far when it comes to the adoption of mobile payments. Without the underpinning security, this ever-growing trend could halt in mid-stride if consumers don’t trust that their money is a hundred percent secure.

Trust, trust, trust

Even though banks are late to the mobile payment user-convenience party, research shows that consumers still have a much higher level of confidence dealing with their banks, than online platforms and social-media companies when it comes to payments services. This is a slam-dunk advantage that gives banks the chance to stay competitive by drawing from the hard-earned trust they have built with their customers over the years.

As payment innovation has been about striking the right balance between customer convenience and security banks are successively abandoning yesterday’s security methods and have started to evaluate new and more robust alternatives at hand. But bringing about a genuinely effortless mobile user experience and at the same time reach fool-proof security is no easy feat. To begin with, instant payment features radically shortens the time to identify fraud so no matter which way you look at it, you need to invest in extremely secure real-time fraud detection based on strong user authentication. Exceptional user convenience on the smartphone may be the term of the day as it stands, but without up-to-date security tech behind it, it could be good for nothing.

In the near future, those who offer their customers the security and sought-after split-second payment convenience will survive. This is why we have developed Covr, a user-centric mobile security management platform. It will help banks and other financial players to overcome the biggest hurdles in the transition to large scale open banking as it doesn’t require hardware or huge installations costs.

About Covr Security 

Covr Security AB, located in Malmo, Gothenburg, Stockholm, Frankfurt and Palo Alto, is a Swedish cybersecurity company. We have developed a next-generation, user-centric mobile security management app for a wide range of heavily regulated digital industries that depend on strong customer authentication and privacy. The Covr app is available both as an off-the-shelf authentication mobile app ready for a quick launch and as a powerful SDK for hassle-free integration into existing mobile applications.

You’d think that in today’s high-tech society, nobody uses text-messages as part of their 2-factor authentication system. But despite hoping that this was dead and buried practice, every now and then we see examples of when it’s being used and subsequently hacked. Recently, Metro Bank in the UK and its customers suffered the consequences from this, which goes to show it’s time we start using better and safer solutions.

Telecom operators use what’s called an SS7 protocol to reroute both text messages and calls, and also offers the possibility of geo-positioning cellphones. The problem is that the owner of the cellphone doesn’t need to be informed of this, meaning anyone with access can reroute text messages and track the whereabouts of the phone as they choose. This could, for example, be the Telecom operator itself, a government agency, or the not-so-friendly hacker.

All the hackers need to do is figure out the user’s login and password to their bank, things that are relatively easy to get your hands on these days. They then simply use the SS7- protocol to reroute the authentication text message to their own phone and immediately get full access to the bank account. This exact thing happened to customers of the Metro Bank in the UK recently, as reported by “Motherboard”. The SS7-attacks drained the accounts of “an extremely small number” of customers according to representatives of the bank. But regardless of the number of victims, this should really not be a hack that is possible to perform any more. Especially not at a bank that millions of individuals and companies trust with their money.

The victims were of course compensated by Metro Bank, and hopefully, both the bank and customers have learnt their lesson and immediately abandon these inadequate practices.
There are however still thousands of services, banks and others that rely on text- messaging for their 2-factor authentication, apparently living in the belief that their system is secure. But implementing just any 2-factor authentication protocol does not mean your system is secure, much like having a seat-belt made out of paper won’t do you much good in a car crash.

So, take a good look at the service providers you use. if they use text messaging as part of their two-factor authentication inform them of their errors and find yourself another supplier. You simply aren’t safe where these practices are being used.

Read more about the attack to Metro Bank here >

Both Marriott and Voi have recently had data about millions of their customers leaked, the prior by a hack and the latter by poor security set-up. The conclusion: The current systems for ensuring the safety of our customer’s data are far from sufficient.

In late November last year, the hotel chain Marriott announced that they had been the target of a data hack, exposing the information of 500+ million customers. The hackers had access to the customer data since 2014, but it took Marriott five years to realize they had been hacked. During that time, the hackers had access to names, phone numbers, email addresses, passport numbers, dates of birth and arrival and departure information of 327 million of Marriott’s customers. Besides that, for millions of others, the credit card numbers and card expiration dates were also potentially compromised.

Just a few days ago the electric scooter company Voi, that has placed scooters in major cities all over Europe, had 460.000 of their customer’s names, emails and phone numbers exposed openly on the internet. According to the German media company Bayerischer Rundfunk, the data was accessible by anyone without having to break any rules or even be a very proficient hacker.

Both of these incidents are very severe and point to the fact that the systems that many companies rely on to keep their customer’s data safe are insufficient. Whether it be by poor process design, a lack of understanding, or simply an outdated IT-system, there is a great need for better ways to protect the data customers entrust companies with. Poor PR is also not the only thing that can come from such data leaks. In light of the recent EU-directive GDPR, companies now also run the risk of getting hefty fines. In the Marriott-case, the data-breach has been deemed one of the most severe in history, and it will take several months for regulators to investigate the situation fully.

Had the companies instead ensured that the customer data could only be accessed by authorized personnel and had warning systems in place, the breach would either never have been possible or stopped a lot earlier. As a customer in today’s tech-world, your personal data can wreak havoc in your personal life on a scale previously unimagined. A leak such as the ones at Marriott and Voi, should therefore simply not be possible, especially since there are systems available that would have prevented them.

It’s time that companies accept their responsibility, and take measures to ensure that such leaks are not possible. Finding secure IT-systems is not an impossible feat, rather, there are companies like Covr Security that make sure that your customer’s data will remain safe and secure, while still allowing the information to be accessed by the right person at the right time. Security is not just a fancy word to be thrown around in the corporate visionary document, it’s a necessity to ensure that you have a business in the years to come.

In recent years being able to prove who you are has become more important. Companies and online services need verification and use different methods for you to do so. We started with increasingly complex passwords, but more and more are looking at 2-factor-authentication, or even multi-factor-authentication. But what method is actually preferred, both from a security and user-experience perspective?

Having passwords that are so complex that you can’t even remember them yourself has lately proven to be a rather poor method of securing your online accounts. Bill Burr, the former manager at National Institute of Standards and Technology (NIST), created the password-guide that is used today to find a secure password. The problem is that the guide was produced in 2003, and Burr now says that he didn’t really understand how passwords worked during the time. The guide that is being used today actually doesn’t ensure safe passwords. A better method of creating safe passwords is to put together three or four unrelated words, resulting in a longer password without being unreasonably difficult to remember.

But having just a password to verify your identity has proven to be insufficient, just look at the Heartbleed bug a few years ago where thousands of passwords were leaked. Through the years there have been several reports where passwords have been compromised by hacks or simple errors. So, in order to stay safe, there should be some other method of proving you are really you.

The answer has come in the form of 2-factor authentication, where you use your password to login to an online account, and then get prompted on a different device (often your mobile phone) to authenticate that you are attempting to log in to that account. This ensures that you are really you, or at least in theory. Many started using text messaging to send a passcode that you entered to verify the login. But lately there have been numerous reports of such text-messages being redirected to a different phone, and thus the authentication process is yet again insecure.

Many companies, such as Google, have therefore created their own app that ensures that the verification code is only sent to that specific phone. In countries such as Sweden, the banks have joined forces and created a Bank-ID that is linked to the citizen’s personal identification number. The problem with these is that they do not work globally or universally across platforms. In Google’s case, the service provider must then use Googles authentication, and thus their login-system, something that might be undesirable for many service providers. In the case of the Swedish Bank-ID, you must have a Swedish personal number and also have a Swedish bank account.

In other cases, the verification process often requires several steps, which then becomes a hassle for the user. This reduces the willingness to use the verification system. Since people tend to use the path of least resistance, the user experience must be at the centre of the system. If the process of logging in to your account isn’t easy, then you will probably use a less secure method instead.

With Covr, you can offer your users a safe way of authenticating themselves and authorizing transactions via an app on their smartphones
With Covr, you can offer your users a safe way of authenticating themselves and authorizing transactions via an app on their smartphones

Developing a universal and global multi-authentication system that is secure and easy to use is, therefore, something that is desired and urgent. Luckily, we are now seeing several such systems being developed, and the one that is currently leading the charge towards secure and easy online verification is Covr Security. They are a Swedish company that has used the experiences from the Swedish Bank-ID to create a system that is non-affiliated to a vendor with their own agenda and works around the globe. The system is easy to use, easy to implement and ensures the highest level of security. Simply put, it offers all that you could ask for in a multi-factor authentication system.