Financial institutions consider multi-factor authentication, Part 3

This is the last of three articles in a series about multi-factor authentication for online banking. Financial institutions across the country are scurrying to implement stronger security measures this year based on recommendations from the Federal Financial Institutions Examination Council (FFIEC).

The adoption of online banking has dropped off recently, and experts believe it is due to consumers’ fears of identity theft and account hijacking. Oddly enough, says Bruce Cundiff of Javelin Strategy & Research, these fears are unfounded. “Online banking is actually safer than face-to-face banking because of the reduction of paperwork such as paper-based checks and account statements,” Cundiff says. “Our research shows that a high percentage of identity theft comes from paper-oriented processes.”

Nevertheless, banks are spending tremendous amounts of money on beefed up security measures, including multi-factor authentication, so that their customers can feel more confident in online banking. The financial institutions have too large of an investment in online banking to allow customers to revert back to offline banking.

Scott Mackelprang is a banking industry security practitioner who has been tackling the multi-factor authentication issue for more than a year. Mackelprang is vice president of security and compliance at Digital Insight, a leading online banking provider for financial institutions.

While functioning as an application service provider (ASP) to middle market banks, Digital Insight has more than 6 million active end users of its online banking systems. Most of these systems, however, are custom branded for the banks, so a consumer wouldn’t know his online banking is being handled by Digital Insight.

Mackelprang says he talked to a range of vendors when he began investigating solutions for multi-factor authentication. “Because we can’t dictate the solutions to our clients (the banks), we looked for lots of flexibility in the products to address the varying needs of security.”

“It’s expensive to bring security to the masses,” adds Mackelprang. “’Security’ isn’t a point solution. We look at the issue of security in terms of ‘deep defense.’ That’s why we offer our customers a suite of solutions to cover the entire problem space.”

Digital Insight selected TriCipher for a range of authentication solutions. Explains Mackelprang, “TriCipher offers several layers of authentication, so we can allow each of our clients to deploy what works best for them and their customers. What’s more, this company allows us to scale up our offerings to our customers as new threats emerge.”

At the most basic level, the TriCipher solution uses cookies to hold encrypted information about the person and his computer. “It has a very low impact on the end user, and it doesn’t require a highly sophisticated user base,” Mackelprang says.

At the next level of sophistication, the end user would download a small application to his PC that would allow him to store an encrypted key in a software vault held by the operating system. The key is parsed and stored in two places, making it virtually impossible to steal.

At the third level of security, the bank would send an end user a standard USB token on which to load cryptographic credentials.

Digital Insight allows its customers – the banks and credit unions – to select any and all of these solutions. In turn, some of the banks allow their customers to choose an authentication system that works best for them.

Today, each financial institution selects what authentication scheme(s) work best for it. But could there ever be an industry standard technology or method that is used universally by all banks? Mackelprang doesn’t hold out hope for this. “The members of the financial industry won’t all come together and solve this problem with one solution,” he says.

Nevertheless, there are efforts underway to minimize the impact of proprietary solutions being implemented today. Last November, the Liberty Alliance Project announced the formation of the Strong Authentication Expert Group (SAEG). While the Liberty Alliance works toward open federated identity, the SAEG will expand the alliance’s work to build the Identity Strong Authentication Framework, or ID-SAFE. This is intended to be an open framework to allow strong authentication solutions to interoperate across organizations, networks and vertical market segments. We can expect to see the first version of ID-SAFE specifications in 2006.