Shareholder Authentication (published 2015)

• Table of Contents
• Introduction
  • Universe of Transactions
    • Nature of Participants in Shareholder Transactions
    • Types of Shareholder Transactions
    • Means of Transmission of Transaction Requests
• Authentication In Theory
  • Principles of Authentication
    • The First Authentication Factor: What You Know
    • The Second Authentication Factor: What You Have
    • The Third Authentication Factor: What You Are
    • Multi-Factor Authentication
    • Non-Traditional Authentication Factors
    • Mutual Authentication
    • Positive and Negative Authentication Factors
  • Limitations of Authentication
    • Limitations of Authentication Measures in Common Use
    • Limitations of Authentication Measures Generally
• Authentication In Practice
  • Technological Solutions
    • Shareholder Knowledge
    • Hardware and Software Tokens
    • Biometrics
    • Behavioral Patterns
    • Protection of Authenticated Sessions
    • Authentication of Devices
    • Authentication of Transactions
    • Authentication of Fund Groups (Mutual Authentication)
  • Operational Initiatives
    • Overall Threat Environment
    • Risks Associated with Authentication Systems
    • Risks Associated with Particular Transactions
    • Potential Legal Consequences of Transactional Fraud
    • Limiting Potential for Damage from Fraudulent Transactions
    • Protection of Online Transaction Systems
  • Educational Efforts
    • Employee Training and Awareness
    • Shareholder Awareness
• Insurance
• Glossary
• Further Reading

To date, authentication measures based on the second authentication factor—i.e., what a user has—appear to be relatively uncommon in the fund industry (although some brokerage firms do offer two-factor authentication). Such measures include the use of hardware tokens (such as the widely-used RSA SecurID token) or software tokens (in the form of text messages or mobile apps, such as the Google Authenticator app), which take advantage of the widespread adoption of smartphones. In considering the use of hardware or software tokens, fund groups may wish to consider, among other things, implementation costs and/or the anticipated degree of shareholder acceptance. For hardware tokens, for example, the cost of purchasing the tokens and providing them to shareholders may be significant.

Software tokens may address the cost issue associated with hardware tokens, but may be less secure because they potentially represent a single point of failure.¹ For example, a fraudster who uses a stolen mobile device to effect a transaction would not be thwarted if the same mobile device receives a text message with the additional authenticating information.² By comparison, where hardware tokens are used instead of software tokens, the fraudster would need both the stolen phone and the hardware token to effect a fraudulent transaction.

1. See, e.g., Grant Le Brun, Hard, Soft, or Smart? Evaluating the Two-Factor Authentication Options, INFOSECURITY MAGAZINE (Sept. 20, 2012), http://www.infosecurity-magazine.com/view/28368/hard-soft-or-smart-evaluating-the-twofactor-authentication-options-/ (comparing the advantages and disadvantages of hardware and software tokens); Chester Wisniewski, The power of two - All you need to know about two-factor authentication, NAKED SECURITY (Jan. 31, 2014), https://nakedsecurity.sophos.com/2014/01/31/the-power-of-two-all-you-need-to-know-about-2fa/ (same).
2. See Grant Le Brun, Hard, Soft, or Smart? Evaluating the Two-Factor Authentication Options, INFOSECURITY MAGAZINE (Sept. 20, 2012), http://www.infosecurity-magazine.com/view/28368/hard-soft-or-smart-evaluating-the-twofactor-authentication-options-/ (questioning whether the use of a smartphone both to access sensitive data and to serve as the “something you have” device qualifies as two-factor authentication).