As promised last issue, I’m re-printing a glossary of strong/second factor authentication methods that TriCipher provided me along with the results of its sponsored survey on people’s perceptions of online security. These seven methods are those most often encountered in a financial services environment, but they would be useful (and adaptable) to just about any area where stronger authentication was needed. Here they are:
* Computer recognition software
Using the computer as a second authentication factor is accomplished by installing a small authentication software plug-in that places a cryptographic device marker onto the consumer’s computer, which can then be verified as a second factor during the authentication process. The authentication process would then include two factors: password (something you know) and the device marker on the consumer’s computer (something you have). Because the device marker is always on the consumer's computer, the user only has to enter their username and password to log in.
* Biometrics
Using biometrics as a second factor is accomplished by verifying physical characteristics such as a fingerprint or eye using a dedicated hardware device. Offering biometric authentication for consumer online banking has significant challenges including distribution of biometric readers and the associated cost per user.
* E-mail or SMS one-time password (OTP)
Using e-mail or SMS OTP as a second factor is accomplished by sending a second one-time use password to a registered e-mail address or cell phone. The user must then input that second one-time password in addition to their normal password to authenticate to the online bank. This method is generally considered too cumbersome for everyday logins because there is a time lag before users get the OTP they need to login but is often used for the initial enrollment before providing another form of authentication.
* One Time Password (OTP) token
Using an OTP token as a second factor is accomplished by providing users with a hardware device that generates a constantly-changing second password that must be entered into the online banking Web site in addition to the normal password. OTP tokens require the user to carry the token with them to login to the bank Web site. If a customer has multiple banks that require OTP tokens, then the user must carry multiple tokens unless the banks integrate their systems to accept a single token.
* Out of band
Using an Out-of-band verification for authentication involves the bank calling a registered phone number and requesting that the user enter their password over the phone prior to allowing the user to login. Similar to e-mail or SMS OTPs, this requirement introduces a time lag and requires that the user be at the location of the registered phone number.
* Peripheral device recognition
Using peripheral device recognition as a second factor is accomplished by placing a cryptographic device marker on a user’s existing device such as a USB flash drive, an iPod, Smart Phone memory card and then requiring that device to be plugged into the computer when the user logs into the online banking Web site. This can be good alternative to the OTP token because it provides a hardware based second factor but doesn’t require the user to carry an additional device. In addition, device markers from multiple banks can reside on a single hardware device without requiring the various banks to integrate their systems.
* Scratch-off card
Using a Scratch-off card as a second factor is accomplished by issuing the user a card containing several PIN numbers that the user scratches off and then used only one time to log in. This is a lower-cost, one-time password option than tokens.
Note that TriCipher really likes the “Computer recognition software” method - the one I like least, in an online transaction environment, that is. I use many different computer platforms to interact with businesses online, businesses where I have accounts and spend money (or save money, if it’s the bank). I travel a lot but still need to spend money, pay bills, check balances, etc. Any strong authentication method tied to one specific computer actually hampers my access while not really providing a concomitant increase in security. I do like biometrics, but I really like using my cell-phone for out-of-band verification. Either via voice or SMS, it’s the system I wish more folks would adopt. You, of course, are free to choose whichever best serves your purposes.