Financial institutions consider multi-factor authentication, Part 2

Last week we talked about financial institutions feeling the pressure to implement multi-factor authentication for online transactions. The Federal Financial Institutions Examination Council (FFIEC) has recommended adoption of more stringent security measures by the end of 2006. This week we’ll look at a few interesting authentication solutions that are already being implemented at various banks. These solutions are explored in a recent report by Javelin Strategy & Research.

Last week we talked about financial institutions feeling the pressure to implement multi-factor authentication for online transactions. The Federal Financial Institutions Examination Council (FFIEC) has recommended adoption of more stringent security measures by the end of 2006. This week we’ll look at a few interesting authentication solutions that are already being implemented at various banks. These solutions are explored in a recent report by Javelin Strategy & Research.

In the Javelin study, several authentication solutions floated to the top of the charts. One is a cookie-enabled software token, which can be installed on the consumer’s preferred PC and used to reasonably identify the user before he interacts with his online financial information. Software tokens easily meet the criteria for affordability and usability, and prove to be useful against account hijacking.

A second customer-friendly solution that has been implemented by organizations such as Stanford Federal Credit Union and Bank of America is a visual recognition scheme. This is a two-way authentication that not only identifies the consumer to the bank, but also the bank to the consumer. It can be used for online banking and e-mail, so that the customer can be assured that he is on the bank’s authentic site or viewing legitimate e-mail from the bank – thus eliminating the pitfalls of a spoofed site or phishing attack.

The solution behind this visual recognition technology is called the PassMark System and is developed by PassMark Security. A PassMark is a shared secret consisting of an image (perhaps a photo of the customer’s child or pet) and corresponding text, and it is unique to each individual user. It is inserted between the username and the password in the login process. Once a customer types in his username, the bank attempts to identify his client device based on a cookie or software token. If the device is recognized, the banking Web site will display the customer’s unique image and text – the PassMark – and then prompt for the password.

If the client device is not recognized during the login process, the bank presents a challenge question to the user (e.g., “What high school did you attend?”). Once this is answered correctly, the PassMark is shown and the password is requested.

From the customer’s perspective, if he isn’t presented with the image he expects, then he knows this can’t be the authentic Web site of the bank. He might well be on a spoofed site that is waiting to steal his personal information. If he sees his expected image, he can feel confident to proceed.

What the end user doesn’t see under the covers with the PassMark solution is a series of activities in the “verification stage” that positively identify the user and his device. In a split second, the PassMark solution conducts device forensics, network forensics, and behavior analysis. For instance, PassMark can tell if the customer is logging in from his regular device in Poughkeepsie, N.Y. to pay bills, or if a hacker using the customer’s ID and password is logging in from a strange device in Romania to transfer funds to another account.

Bank of America calls its implementation of the PassMark System “SiteKey.” For a view of how SiteKey works, click here.

Whatever solution a bank chooses for multi-factor authentication, Javelin senior analyst Bruce Cundiff says it’s critical that the IT professionals work closely with the product people who understand the customer issues. “Consumer usability is key,” Cundiff says. “The IT guy could create the strongest authentication scheme there is, but if it’s hard to use, customers won’t use it. It’s important to get the ‘cross pollination’ between the technical experts and the business experts when designing a useful security system.”

In a final report next week, we’ll look at another solution chosen by banking ASP Digital Insight Corporation.