KuppingerCole Report
By John Tolbert

OneSpan Intelligent Adaptive Authentication

Fraud reduction is a paramount concern in many industries today. Finance, as well as healthcare and retail companies, are increasingly targeted by cybercriminals. New regulations in the financial industry are coming into force in many areas around the world. These regulations aim to improve security and reduce fraud. OneSpan Intelligent Adaptive Authentication provides strong and multi-factor authentication and transactional risk analysis capabilities that can help businesses strengthen their security posture, meet the technical challenges posed by these new regulations, and improve their customers’ experience.

Commissioned by OneSpan

1 Executive Summary

The financial services industry faces a number of increasingly difficult challenges today. Organizations in this industry have often been at the foref ...

Login Get full Access

2 Highlights

  • Financial cybercrime is on the rise, and attacks are getting more sophisticated.
  • Many bank executives are unaware if they have been breached and i ...
Login Get full Access

3 Cybercrime in the Financial Industry

Cybercrime is a leading cause of loss in the financial industry and this is the biggest concern for bank executives. Account takeovers are an especial ...

Login Get full Access

4 Finance Sector Regulations Driving Changes in Cybersecurity

Regulations in the financial sector are improving transaction security by requiring technical features such as MFA and risk analytics. New York’s Cy ...

Login Get full Access

4.1 New York Cybersecurity Requirements Regulation (NYCRR)

NYCRR sketches out some high-level objectives for cybersecurity programs without “being overly prescriptive”. Financial service companies, defined ...

Login Get full Access

4.2 PSD2

The main goals of PSD2 are:

  • Contribute to a more integrated and efficient European payments market
  • Improve the level playing field for payment ...
Login Get full Access

5 Evolution of Risk-based Authentication

Risk-based authentication for higher identity assurance is fundamental to reducing risk of fraud and data loss in the financial sector. Stronger authe ...

Login Get full Access

5.1 Username/Password

The problems with username/password authentication are well-known. Both usernames and passwords are easily and often forgotten. Password resets are ex ...

Login Get full Access

5.2 KBA

Knowledge-based authentication is still a widely-used authentication method, even in finance, despite its inherent security problems. KBA involves set ...

Login Get full Access

5.3 Token-based Authenticators

Fortunately, better alternatives to passwords exist. Many enterprises have deployed smart cards, USB tokens, or other types of strong authentication ...

Login Get full Access

5.4 MFA

Multi-factor authentication covers a wide-range of authenticators. Clients of financial services must use strong/MFA methods to access financial resou ...

Login Get full Access

5.5 Risk-based Authentication and/or Transaction Risk Analysis

Many CIAM and IAM solutions on the market today support the principles of MFA and SCA. Companies that have to comply with NYCRR’s MFA or PSD2’s SC ...

Login Get full Access

6 OneSpan Intelligent Adaptive Authentication for Financial Use Cases

The OneSpan Intelligent Adaptive Authentication solution provides risk-based adaptive authentication functionality, risk analytics and mobile applicat ...

Login Get full Access

6.1 OneSpan Intelligent Adaptive Authentication for MFA

OneSpan supports many authentication mechanisms including hardware OTP; email/SMS OTP; Mobile biometrics – iOS and Samsung native apps, and OneSpan ...

Login Get full Access

6.2 OneSpan Intelligent Adaptive Authentication for Transactional Risk Analysis

OneSpan Intelligent Adaptive Authentication provides capabilities that are needed for transactional risk analysis in alignment with NYCRR and PSD2. T ...

OneSpan Intelligent Adaptive Authentication can help banks and FIs improve the customer experience, detect/mitigate/reduce the risk of loss from fraud ...

Login Get full Access

6.3 General Security Considerations

MFA and transactional risk analytics systems do not operate in isolation from other systems. OneSpan Intelligent Adaptive Authentication can send even ...

Login Get full Access

7 Recommendations

NYCRR is in effect, and PSD2 RTS is fast approaching. This may require major technology insertions for many banks and TPPs. IAM/CIAM infrastructure ma ...

Login Get full Access

7.1 Recommendations for Conducting an IAM Maturity Assessment

  • Inventory existing IAM and risk management infrastructure: Does it support MFA? Which authenticators? Does it have sufficiently advanced risk analys ...
Login Get full Access

7.2 Recommendations for Meeting NYCRR MFA and PSD2 SCA Requirements

  • Deploy or utilize advanced MFA solutions that offer a good mix of authentication options, particularly emphasizing mobile authenticators. Choose sol ...
Login Get full Access


  1. https://www.bankdirector.com/files/4515/1982/3582/2018_Risk_Survey_Report.pdf
  2. https://www.statista.com/statistics/273572/number-of-data-breaches-in-the-united-states-by-business/
  3. https://www.scribd.com/document/392496764/HSBC-Data-Breach-Notification
  4. https://www.databreaches.net/20-hackers-arrested-in-eur-1-million-bank-phishing-scam/
  5. https://dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
  6. https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
  7. https://www.imf.org/external/pubs/ft/weo/2018/01/weodata/weorept.aspx
  8. https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
  9. https://www.cshub.com/attacks/news/incident-of-the-week-ddos-attack-hits-3-banks
  10. https://www.thebalance.com/identity-theft-and-affinity-fraud-4117147
  11. https://www.javelinstrategy.com/coverage-area/2018-identity-fraud-fraud-enters-new-era-complexity
  12. https://fidoalliance.org/tech-industry-leaders-ship-fido2-certified-solutions-to-reduce-password-use-on-the-web/
  13. https://dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
  14. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32015L2366
  15. http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32007L0064
  16. http://europa.eu/rapid/press-release_MEMO-15-5793_en.htm?locale=en
  17. https://enterprise.verizon.com/resources/reports/dbir/
  18. https://www.pymnts.com/data-drivers/2018/jumio-philipp-pointner-id-theft-data-security-podcast
  19. https://globalplatform.org/specs-library/?filter-committee=tee
  20. https://www.theguardian.com/business/2016/jul/22/mobile-banking-on-the-rise-as-payment-via-apps-soars-by-54-in-2015
  21. https://fidoalliance.org/participate/members-bringing-together-ecosystem/
  22. https://fidoalliance.org/certification/fido-certified-products/


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.