An innovative approach to two-factor authentication for financial transactions

* Could ENCard be an easy and inexpensive solution to the two-step authentication issue?

I’ve been whining a lot lately about wanting two-factor authentication for my online banking system. It makes me incredibly nervous that I can log on to my personal account and gain access to my entire financial portfolio with nothing more than a password. This is the case for the bank where I have a checking account and the company where I have all my long-term investments. I’m just one user ID and a password away from all the bucks.

I’ve been whining a lot lately about wanting two-factor authentication for my online banking system. It makes me incredibly nervous that I can log on to my personal account and gain access to my entire financial portfolio with nothing more than a password. This is the case for the bank where I have a checking account and the company where I have all my long-term investments. I’m just one user ID and a password away from all the bucks.

I had a discussion with the IT personnel at my investment firm about this, and they told me they are looking into two-step authentication, but it is at least a year away from implementation.  That might be too late, as it only takes an identity thief a few minutes to crack a password and tap the accounts for all they’re worth.

It seems I’m not the only one concerned about the situation. The Federal Financial Institutions Examination Council recently instructed banks that conduct transactions via Web sites to implement two-step authentication by the end of 2006. 

Now that banks are required to do something about this, they’ll be looking for solutions to deploy. Given that my investment house told me that many of their customers feel that even passwords are too complicated, the financial institutions will be looking for solutions that are easy and inexpensive for the customer and non-burdensome for the bank. The short list of requirements looks like this:

* Inherently secure.

* Inexpensive to deploy, use and maintain.

* Easy for non-technical customers to use.

* Universally accepted by various businesses.

* Minimal impact to existing infrastructure.

That looks like a lot of conflicting requirements. It’s hard to imagine one solution that is easy, inexpensive, and secure, and that doesn’t require a lot of new hardware and software on the users’ or providers’ part.

One solution that seems to meet all those requirements nicely is the ENCard, from DG Card Corporation, a division of Taiwan-based computer media company Medea International. The ENCard looks and acts similar to an ATM or debit card, with the magnetic strip on the back with embedded account information. This part of the card can be used in traditional point-of-sale swipe machines or your bank’s ATM devices with no additional hardware or software.

However, the flip side of the ENCard has a computer-readable surface that can be used in your PC’s CD or DVD drive. The ENCard fits into a small disk adapter so that the contents of the card can be read by your computer and transmitted over the Internet to your bank or any online merchant.  Thus, it is a token to enable your online banking via two-step authentication, and it acts as an online debit card that is tied to your bank account.  This relieves you of the need to type in your credit card number when you make an online purchase.

The card requires no client-side hardware or software, other than the CD or DVD drive of your PC.  The bank or card issuer would use an authentication server to verify the user, whose data is encrypted before traversing the Internet. If the card is used as a debit card to purchase something online, the merchant doesn’t need anything special, other than an account and software to connect the buyer (card owner) to his bank’s authentication server.

The ENCard sounds like an easy and inexpensive solution to the two-step authentication issue.  What do you think?  Would you give it a try if your bank offered it?  I would!  And I don’t want to wait a year for it, either.

Linda Musthaler is vice president of Currid & Company.  You can write to her at mailto:Linda.Musthaler@currid.com

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.

IT Salary Survey 2021: The results are in