Banks get new online authentication guidelines

Biometric systems, tokens and one-time passwords are possible solutions

With the clock ticking for banks to implement new federal guidelines that call for stronger user authentication during online transactions, the industry's attention is shifting to the technology options available to meet the requirements.

The Federal Financial Institutions Examination Council (FFIEC) last week released new guidelines aimed at overhauling security in Internet-based banking and financial services. The guidance, titled "Authentication in an Internet Banking Environment," calls on banks to upgrade current single-factor authentication processes -- typically based on user name and passwords -- with a stronger, second form of authentication by the end of 2006.

The FFIEC guidance leaves it up to the banks to choose which kind of authentication to implement, but lists several that are now available, including biometric systems, tokens, and one-time passwords.

The FFIEC is an interagency council set up to develop standards for the federal auditing of financial institutions by bodies such as the Federal Reserve System and the Federal Deposit Insurance Corp. (FDIC).

The new guidelines are not a law, but are more like best practices that banks will be audited against by the end of 2006, a spokesman from the Federal Reserve said. At that time, federal examiners will begin documenting situations where financial institutions are not yet in compliance, he said.

"I'm not a big fan of regulations in general, but this one has the right intent," said Kevin Doyle, information security officer at Pennsylvania State Employees Credit Union (PSECU) in Harrisburg. "Online threats are going more and more toward the end users, and the FFIEC is simply reacting to that trend."

The key for banks is to make sure they choose the right authentication approach to comply with the requirements, said Robert Garigue, chief information security officer at the Bank of Montreal in Toronto. "There is no one single technology that is appropriate for all your authentication and authorization needs," he said. "You have to look at it in the context of the business value at risk," as well as consumer friendliness of the authentication technology.

Token-based authentication, for instance, is relatively expensive to implement, said Naftali Bennet, CEO of Cyota Inc. a vendor of antifraud services to the banking industry based in New York.

That's one of the reasons why San Francisco-based Bank of the West is looking at other options. "It's a cost-benefit issue, and trying to make sure you don't put any additional inconveniences on your customers," said Donald Duggan, the chief technology officer at the bank, which manages $41 billion in assets.

"My own personal viewpoint is that as a consumer, I wouldn't want to carry a token around everywhere I went," said Duggan.

Instead, the bank is investigating a technology from Passmark Security Inc. in Redwood City, Calif., that uses a combination of a user-selected image, a secret phrase and a challenge question to authenticate users on bank Web sites.

The cost of implementing the technology for a bank with 50,000 online users is $1 per user per year, and the price decreases as the number of users increases, said Steve Klebe, vice president of sales and business development at Passmark. With a larger bank, it costs less than a single postage stamp per user per year, he said.

Bank of America Corp. began rolling out the technology in May, and currently offers it as a voluntary option to half of its nearly 14 million users nationwide, Klebe said.

Passmark signed Scottrade Inc., the fifth-largest online broker, last week, and has another six unnamed financial institutions -- including one of the largest Internet-only banks and two of the five largest credit unions nationwide -- under contract as well, Klebe said.

The PSECU, meanwhile, has started rolling out a two-factor authentication technology from Cyota that analyzes and scores the potential risk on every online banking transaction based on criteria such as the user's computer, IP address, geographic location and prior transaction behavior. Users conducting online banking transactions that are flagged as being high-risk by the system are authenticated via phone.

Digital Insight Inc., a provider of outsourced Internet banking services in Calabasas, Calif., plans to offer its clients multiple ways of authenticating their customers by the time the FFIEC guidelines go into effect, said Scott Mackelprang, the company's vice president of security and compliance.

Digital Insight will use technology from TriCipher Inc., a San Mateo, Calif.-based based vendor that offers two- and even three-factor authentication products. One of the products is a device-based identification system that lets users authenticate themselves to a bank Web site by placing special cookies on the systems they use. Another product allows users to store a portion of their authentication credentials in any device, such as a USB token or even an MP3 player, and then use the device when logging into a banking site. The technologies cost between 50 cents and $4 per user per year to implement, said Sally Sherward, vice president of business development at TriCipher.

"There seems to be a lot of diversity" when it comes to authentication approaches, Mackelprang said. "It goes without saying that what you choose has to be scalable and easy enough for the nontechnical user to use," he said.

However, some analysts argue that two-factor authentication alone won't be enough, and that banks need to install specific measures to combat fraud.

"What good is an expensive lock if the bank doesn't have an alarm system?" said Ariana-Michelle Moore, an analyst at Celent Communications, a bank technology research firm. "What good is an alarm system if no one hears or sees it go off?"

Copyright © 2005 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon