PostFinance Relies on Nevis for a Secure and User-Friendly Login Process
Initial Situation
PostFinance and Nevis have already been enjoying a trusting working relationship for the past 15 years, with frequent discussions about future topics and their potential. This gave rise to a desire for uniform digital access to the banking platform. Customers originally had two different retail bank login processes to choose from: via a card reading device or mobile ID. There was also a so-called “fast service” for use on mobile devices that relied on a password or touch ID. However, since the underlying security and authentication technologies did not fully meet the requirements of a comprehensive mobile banking solution, the functionalities of the fast service were very limited.
While the first two concepts gave users unlimited e-finance access with limited user-friendliness, the fast service app scored high for providing a good user experience. Albeit with a much smaller range of functions given security concerns. Both partners had the same goal in mind: uniform app access – on a smartphone as well as a desktop.
Solution
In order to achieve this goal, a software-based two-factor authentication process in line with FIDO UAF, the industry standard for password-free authentication, was implemented. The operational principle: after registering, users can sign in to the online service with their device without entering a password each time. Different biometric features, such as fingerprint or face, are deployed for user authentication.
Right at the start of the project, it was determined which operating system versions should be used for the app – particularly outdated versions were out of the question for security reasons. Another security element is mobile app protection, or hardening. Among other things, this involves checking whether the smartphone has been jailbroken or rooted, which can massively compromise security.
The final solution covers the entire Identity and Access Management of the PostFinance e-finance portal and guarantees secure access to end customers via desktop or mobile devices. All login processes are integrated with the central access management infrastructure using the nevisAuth authentication service. As of August 2020, around 1.1 million users have activated the new login process. There were around 50,000 new registrations per month.
