As technology continues to be a constant, ever-growing presence that impacts our daily lives, almost every sector in Malaysia including the government, education and financial institutions have transitioned towards digitalization. This transition affects us as many registration and application procedures today require us to either complete or upload our personal details online, making things seamless and efficient.
With the ease that technology brings us, we also stand the risk of losing our data privacy due to the growing number of hackers and cybersecurity threats. Banks, financial institutions, and government agencies are at the forefront as they hold some of our most private and important assets – our personal background and financial information.
As we move towards digitization, we can pay for bills and do online transfers from the comfort of our own home with a simple click. Hence, institutions and agencies are continuously studying and practicing ways of enhancing their security features.
So how do they do it? In ensuring the safety of our personal assets online, many banks and financial institutions are currently employing layered security features such as the two-factor authentication solution (2FA).
This is compliant with the Malaysian regulatory requirements for online banking. The 2FA is a two-step security process that requires users to provide identification from two different channels; “what you have” – login credentials and “what you know” – security code ex. TAC.
Furthermore, multi-layered security has become a popular system among financial institutions and government agencies today. A further step to 2FA would be the 3FA – three-factor authentication. 3FA is simply an additional security factor to the 2FA. To better understand, here’s a simplified breakdown of the definition:
One-factor authentication: “what you know” – password
Two-factor authentication: This is in addition to the first factor, “what you have” – code generator (TAC), signed digital certificate or an RSA SecurID fob. Specifically, RSA SecurID fob is a device which produces number at a regular interval by using some sophisticated number generation algorithm.
The number generator takes some input, including user information, to uniquely generate number. When a computer / system user assigned with the RSA SecurID device wishes to access the said computer / system, the computer / system will be tuned in sync with the current state of the RSA SecurID device to produce the same number. The user needs to submit the number she sees on the device for verification purpose.
Three-factor authentication: In addition to the two factors, the third factor is “what you are” – biometrics. Biometric can further divided into two types, physiological (a fingerprint, palm print, iris scan or retina scan) as well as behavioral (voice, key strokes, signature pressure, gait) biometrics.
Note that the order of what you know, have and are does not matter. 3FA is a revolutionized extension to the existing security methods today. It requires the physical biometric information of the individual. The fingerprint and retinal scan are the two most common authentication methods practiced.
For example, we may have encountered this when doing in-person counter transactions in banks, walking through the automated clearance system at our local airports during immigration or just simply by unlocking our phones. The 3FA is a sought-after method in higher security as it requires a distinct genetic trait from the individual that cannot be replicated.
However, what happens if the individual suffers from a cataract condition, a cold or has a cut on their finger? How will these affect the scans and accesses to their personal information? For starters, mathematical algorithms and patterns are keys to identifying genetic human traits in scans.
Hence, physical deformities (hand, fingers, and iris) do not actually limit the accessibility as it can be easily healed. The only limit is if one suffers from a severe and irreversible physical condition, requiring the individual to re-enroll using a new dataset in the system.
Behavioral changes in vocal chords also do not necessarily affect the biometric scanning procedure. The technology works in a way that it captures many unique identifiers that include features such as such as speed, cadence, and pronunciation as well as physical aspects including the shape of larynx, vocal tract and nasal passages. Banks like HSBC and Barclays are known for implementing this security feature.
As technology progresses, we must continue enhancing our methods of protecting our personal information from falling into the wrong hands. Although the two-factor authentication may be a feasible choice in our current operations, public agencies and financial institutions in Malaysia can explore the implementation of voice recognition or other 3FA methods in general as practiced by HSBC and Barclays in recognizing their customers.
Of course, this must be dealt with further research to see whether the Malaysian market requires this security feature in protecting our overall personal data.
*Wong Kok Sheik is an Associate Professor attached to the School of Information Technology at Monash University Malaysia