As promised last issue, I’m re-printing a glossary of strong/second factor authentication methods that TriCipher provided me along with the results of its sponsored survey on people’s perceptions of online security. These seven methods are those most often encountered in a financial services environment, but they would be useful (and adaptable) to just about any area where stronger authentication was needed. Here they are:

* Computer recognition software
Using the computer as a second authentication factor is accomplished by installing a small authentication software plug-in that places a cryptographic device marker onto the consumer’s computer, which can then be verified as a second factor during the authentication process. The authentication process would then include two factors: password (something you know) and the device marker on the consumer’s computer (something you have). Because the device marker is always on the consumer's computer, the user only has to enter their username and password to log in.

* Biometrics
Using biometrics as a second factor is accomplished by verifying physical characteristics such as a fingerprint or eye using a dedicated hardware device. Offering biometric authentication for consumer online banking has significant challenges including distribution of biometric readers and the associated cost per user.

* E-mail or SMS one-time password (OTP)
Using e-mail or SMS OTP as a second factor is accomplished by sending a second one-time use password to a registered e-mail address or cell phone. The user must then input that second one-time password in addition to their normal password to authenticate to the online bank. This method is generally considered too cumbersome for everyday logins because there is a time lag before users get the OTP they need to login but is often used for the initial enrollment before providing another form of authentication.

* One Time Password (OTP) token
Using an OTP token as a second factor is accomplished by providing users with a hardware device that generates a constantly-changing second password that must be entered into the online banking Web site in addition to the normal password. OTP tokens require the user to carry the token with them to login to the bank Web site. If a customer has multiple banks that require OTP tokens, then the user must carry multiple tokens unless the banks integrate their systems to accept a single token.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.