Once upon a time, passwords were good for just about anything, including protecting consumers from fraud during digital banking logins and online transactions. Not anymore.
Fraudsters have evolved their tactics to such an extent that when financial institutions (FIs) use passwords and one-time passwords (OTPs) for authentication, customers are left vulnerable to cyberattacks.
Then there’s the frustration of time-consuming password resets – quite the opposite experience by today’s digital standards.
Fortunately, many FIs are starting to recognize that OTPs, and password resets in particular, are major contributors to driving up costs, lowering customer satisfaction, and increasing the risk of fraud.
In this article, we explore these hurdles in more depth and offer ways to overcome them.
Problem 1: The operational burden of password resets on call centers
Password resets, while frustrating for customers, are just as troublesome for FIs. The process causes a major burden on banking call centers, both in terms of operational demands and lost growth opportunities.
Yet for many FIs, it’s a necessary evil dictated by outdated authentication technology and strict access control policies regarding password resets.
Typically, after three unsuccessful username/password login attempts, a cardholder must contact their bank or credit union’s call center to reset their password. We often hear from our customers how a high percentage of calls their customer service centers receive are related to passwords, such as resetting users’ forgotten passwords, and taking valuable time away from more pressing issues.
What’s more, the time it takes to complete a reset can vary according to the steps required: First authenticating the caller, how easy the customer finds the OTP process, waiting for the OTP to be received (which sometimes doesn’t happen), verifying that the new password works, and updating all impacted systems. In the end, the full password reset process can take up to 15 minutes.
Over the years, we’ve seen reports of a wide range of costs per password reset call, anywhere from $3 to $70! But even if you take a simple, conservative calculation based on 15 minutes of a $20-per-hour resource, at $5 per incident, the cost adds up. And that’s before considering the customer annoyance factor and the lost opportunity cost of growth-related conversations.
Overall, the need for customers to contact call centers for password resets puts strain on call center efficacy and is unpleasant for the customer.
Learn how African Bank improved its call center efficiency, saving 250 consultant hours per month.
Problem 2: Disrupting the digital banking customer experience
Consumers love the convenience of online and mobile banking. But that sentiment changes fast when they have trouble logging in to their own accounts. While it’s essential for them to verify their identity for security reasons, the use of outdated username and password login technology often results in a frustrating user experience.
According to a recent FIDO Alliance survey, 90% of respondents have reset their passwords before, with 32% stating they’ve had to recover or reset their passwords several times a year!
Passwords are easily lost or forgotten, especially when consumers keep up to 100 different passwords for all their online accounts. However, the situation can be more complicated in the event of forgetting their digital banking credentials. Why? Because the sector’s strict privacy and compliance protocols often force cardholders to rely on contact centers to reset their passwords.
When they do contact the call center, it should be an opportunity to solidify and grow the customer relationship. However, they’re calling because they’ve been prevented from accessing their account or paying a bill. As a result, they become frustrated by the inconvenience of having to contact the call center, navigate a series of prompts, and then potentially sit on hold to wait for assistance.
At this point, a cardholder might be asked a series of knowledge-based questions. To move away from easily hackable concepts, such as ‘your mother’s maiden name’, authentication questions have become more challenging by necessity, but more confusing for users. After all, answers to many questions rely on memory and preferences, which may change over time yet not be recorded by the FI.
The customer may also be asked to share a code or PIN that may not have been delivered to their email or phone. The result — unnecessary and exasperating friction that could tarnish a customer's view of your institution altogether.
Not only does the password reset process cause consumers frustration, but it also leaves them vulnerable to credential theft from fraudsters, which brings us to problem number three.
Problem 3: The vulnerability of OTPs in customer authentication
In an attempt to thwart the efforts of fraudsters in the password reset process, an extra layer of security is often added in the form of a one-time PIN code (OTP). An OTP that’s valid for a single login, often used in conjunction with a username and password, may sound effective at first. However, fraudsters are smart and constantly innovating new strategies to intercept and exploit login credentials and OTPs through social engineering attacks.
In the case of password resets, fraudsters may have stolen a customer’s login credentials and then, through a series of attacks including SIM-swap or social engineering, intercepted the OTP. One way they achieve this is by impersonating a bank employee over the phone and convincing the customer to share the OTP that the fraudster actually triggered.
They might also send an email that purports to be from the bank requiring the customer to click on a link to a fake website and input their username, password, and OTP. The fraudster retrieves the credentials entered on the fake site and enters them on the real bank website.
It’s no surprise that there’s been a rise in password reset attacks. In 2021, one in every eight password reset attempts was actually an attack. Plus, studies reveal that typically 80% of SIM-swap attacks are successful, thus paving the way for fraudsters to intercept OTPs.
These vulnerabilities leave consumers open to not only fraudulent transactions, but full account takeovers with fraudsters potentially emptying all funds from an account. This results in devastating consequences for the customer, and liabilities and reputational damage for the bank.
Discover how OTP technology is holding banks back in our blog, OTPs for customer authentication: Past their expiry date.
Biometric authentication modernizes password resets
Passwordless options, like biometric authentication, to outright replace the use of passwords and OTPs, will always be first prize. However, where they cannot yet be completely eliminated for business reasons, the same technology can offer simpler, more secure ways around password resets: Self-service password resets.
Advanced multi-factor authentication (MFA) technology that supports self-service password resets provides FIs with a more modern approach to authentication, placing them in a better position to address the pains associated with the password reset process. Biometrics and passkeys are gaining serious traction, and are regarded as possibly the most secure and convenient authentication tools. And, if used in place of usernames and passwords, the cost of password resets can be eliminated.
Watch: Entersekt’s CMO, Frank Moreno, explains the self-serve password reset process with biometric authentication.
Furthermore, when used as a second factor of authentication during account logins, biometrics and passkeys don’t require a customer to retrieve a passcode or remember answers to increasingly complex challenge questions. In addition, biometrics and passkeys cannot be intercepted or impersonated by fraudsters, ensuring the highest level of security.
And, when a password reset is needed, the self-serve option allows the customer to simply click the “forgot password” link and safely reset within seconds by authenticating with their preferred biometric scan – no code to wait for that sometimes doesn’t arrive, no fumbling to enter the code accurately, and no way for fraudsters to intercept.
And, when a password reset is needed, the self-serve option allows the customer to simply click the “forgot password” link and safely reset within seconds by authenticating with their preferred biometric scan – no code to wait for that sometimes doesn’t arrive, no fumbling to enter the code accurately, and no way for fraudsters to intercept.
As a result, banks and credit unions can:
- Reduce call center costs and better utilize representatives’ time (otherwise wasted with password resets) to nurture growth opportunities with customers.
- Reduce customer frustration by giving them more control and allowing them to get on with their desired online banking engagement faster.
- Provide a more secure environment to protect their business and customers’ livelihoods.
Protecting customers across all digital banking channels
It’s vital for FIs to keep their customers' or members’ logins secure while reducing unnecessary friction on whichever device or channel they choose to use.
At Entersekt, we offer safer alternatives to OTP authentication that balance security needs with a positive user experience across all digital channels. With a layered approach that includes visible and invisible authentication measures, banks and credit unions can block fraudsters and deliver an optimal experience for each transaction and every customer.
But our customers say it best:
“MemberPass, powered by Entersekt, enables leading-edge authentication for our call center, branches, and ITMs. MemberPass’s extended functionality from Entersekt provides unmatched biometric authentication for our digital banking platform, while being in tune with members’ unique preferences for user login and payments.” – Jack Martin, Chief Innovation Officer, 4Front Credit Union
Is your FSP ready to reduce its reliance on outdated OTP technology? Learn how Entersekt’s biometric authentication solution can secure all your digital channels.