Token resistance

The need for strong authentication to protect online transactions and to comply with new regulations spawned a host of start-ups over the past couple of years offering exotic types of two-factor authentication.

Watch a slideshow of the many faces of authentication.
Listen to a podcast about single sign-on in a Web 2.0 world.

Last year, we profiled several of those companies, who used techniques like fingerprint scanners, facial recognition, biometric authentication based on your typing patterns, and so-called "cognitive biometrics" that relies on your memories of unique events in your life.

But, those complex authentication methods failed to gain broad adoption and many of those companies are no longer around. Hardware-based tokens, which have been around forever, have failed to win many converts. And plain old user-name and password, once thought to be an endangered species, is very much alive.

So, what happened?

Apparently, banks and other online companies decided that upsetting their customers with convoluted authentication schemes was a price they weren't willing to pay. So, from a customer perspective, very little has changed.

"If they experience anything besides passwords – and many don't – consumers typically encounter knowledge-based authentication," says Mark Diodati, senior analyst of identity and privacy strategies for the Burton Group. Examples would be asking a consumer the name of their favorite pet or the high school they attended.

Authentication goes undercover

But online companies are doing more to make sure people are who they say they are – they're just doing it behind the scenes. The most common tool is device recognition, usually a combination of a cookie or Flash object and other device specifics, such as IP address, time zone settings, and your operating system and browser. In theory, these provide a second factor in the something-you-know, something-you-have, something-you-are authentication matrix.

Your computer's settings are something you have, while the challenge questions cover something you know.

Other behind-the-scenes protections, while not technically authentication factors, include geolocation and transaction monitoring. Geolocation restricts online activities to geographical locations where customers typically conduct business. Combined with proxy detection, this is a strong form of fraud protection. That bank transfer to (or from) Kenya or Uzbekistan will be tagged as very high-risk and may be blocked

Transaction monitoring, at its most basic, simply targets activities that are known to be typical of fraud. More sophisticated systems, such as those from RSA, VeriSign, Arcot and Entrust, develop profiles over time for how individual users behave.

"The classic manifestation of risk analytics is passive from the consumer's perspective," Diodati says. "What gets flagged are anomalies."

Most people have established banking patterns. You log in from specific devices and locations. You make withdrawals within a certain dollar range. You pay the same bills each month. You take out large chunks of money a couple of times a year for vacations. It's predictable. If you break your normal patterns, you'll be asked to further authentication yourself.