Authentication: Where’s the magic factor?

As cybercrime threatens online banking security and technologists debate the efficacy of two-factor authentication solutions, business and technical questions remain.

In a Network World “Face-Off” last year, RSA Security’s Joe Uniejewski argued for two-factor authentication (which regulatory authorities recommend), while Counterpane’s Bruce Schneier pointed out that attackers would find ways around this and banks would be better off addressing transaction security. I believe stronger authentication will help, but the industry also must focus on user awareness, computer security, network hygiene and business questions around transaction security.

I recently attended a meeting of NACHA-The Electronic Payments Association, at which it became clear that regulators are fairly open-minded about evaluating how banks address risk and that a ferment of creative energy and innovation is going into this area. The technical discussion is all about what one considers an authentication factor.

Is Authentify’s voice recording, collected on the phone at the time of a transaction for audit purposes, a factor? Is Bank of America’s SiteKey from Passmark, which displays a picture chosen by the user to authenticate the site, a factor? How about RSA Security’s fraud network acquired from Cyota? Or 41st Parameter’s sophisticated real-time device identification? Or Strikeforce Technology’s plethora of plug-in functions? Could eWise’s innovative, human-only-readable watermark hold the key? The latter weaves a transaction description such as “Wire $5,000 to Shanghai” alongside an illustrated confirmation code for the user to enter (or not). Potentially, the answer to all of these questions is yes.

From a business perspective, banks are much less concerned about losses to fraud than they are about scaring away customers. To them, online banking represents a Mecca of huge cost savings and revenue opportunities. The technical solutions that win out for them will be those that offer unobtrusive but effective protection.

The question no one seems to be asking out loud is: Who owns the liability? Astute users remain uneasy about what happens if a fraudster cleans out their bank account in a world of strong authentication. Will the bank make good the user’s losses out of concern for its reputation, or will it hold the user negligent? A bank that invests in one-time password tokens will argue the devices are effective and thus, only the user could take money out of the account.

A government representative told me, “I would interpret Regulation E [regarding electronic funds transfer] to make the bank responsible. The computer is just another access device, like an ATM.” But no one knows how the courts will rule when Regulation E is put to the test.

Even with the best technical solutions, there will be residual risk. With the business question of transaction security still up in the air, vendors are placing their bets, but many banks seem to be waiting for clearer direction, and knowledgeable users are anxious.

What do you think? Discuss in our forum.