Shareholder Authentication (published 2015)

• Table of Contents
• Introduction
  • Universe of Transactions
    • Nature of Participants in Shareholder Transactions
    • Types of Shareholder Transactions
    • Means of Transmission of Transaction Requests
• Authentication In Theory
  • Principles of Authentication
    • The First Authentication Factor: What You Know
    • The Second Authentication Factor: What You Have
    • The Third Authentication Factor: What You Are
    • Multi-Factor Authentication
    • Non-Traditional Authentication Factors
    • Mutual Authentication
    • Positive and Negative Authentication Factors
  • Limitations of Authentication
    • Limitations of Authentication Measures in Common Use
    • Limitations of Authentication Measures Generally
• Authentication In Practice
  • Technological Solutions
    • Shareholder Knowledge
    • Hardware and Software Tokens
    • Biometrics
    • Behavioral Patterns
    • Protection of Authenticated Sessions
    • Authentication of Devices
    • Authentication of Transactions
    • Authentication of Fund Groups (Mutual Authentication)
  • Operational Initiatives
    • Overall Threat Environment
    • Risks Associated with Authentication Systems
    • Risks Associated with Particular Transactions
    • Potential Legal Consequences of Transactional Fraud
    • Limiting Potential for Damage from Fraudulent Transactions
    • Protection of Online Transaction Systems
  • Educational Efforts
    • Employee Training and Awareness
    • Shareholder Awareness
• Insurance
• Glossary
• Further Reading

Fund groups often protect the integrity of an authenticated session by terminating the session after some designated period (e.g., 15 minutes) of inactivity on the shareholder’s side. This step is intended to guard against the possibility that the shareholder has left his or her computer, and that a fraudster may seek to continue the session.

Fund groups may also wish to consider whether to include additional means of verifying that, after the initial authentication, the person engaging in a transaction remains the properly authenticated shareholder. This could be accomplished, for example, by requiring a shareholder who has just requested a higher-risk transaction (e.g., a transaction of an unusually large dollar amount) to answer KBA questions before the transaction order is sent. Another potential means of performing ongoing or continuous authentication might rely on analyzing a user’s behavioral patterns (e.g., analyzing how a shareholder types, uses a mouse, or uses a smartphone).¹

1. See, e.g., Active authentication seeks to augment passwords, INFOSECURITY MAGAZINE (Sept. 10, 2012), http://www.infosecurity-magazine.com/news/active-authentication-seeks-to-augment-passwords/ (describing a project by the U.S. Defense Advanced Research Projects Agency to strengthen the initial authentication of a user through continuous monitoring of the user’s keystroke and mouse movements).