U.S. Bancorp, VeriSign team on banking security

The service relies on hardware-token-based authentication

U.S. Bancorp will use a hardware-token-based authentication service from VeriSign Inc. to secure access to commercial banking services for its customers, and may soon introduce a similar service for consumer banking customers, according to a VeriSign executive.

The bank will use VeriSign's Unified Authentication service to validate and secure interactions with commercial banking customers, providing them with a secure Universal Serial Bus token that they must use when accessing services online. The deal is just the latest evidence of renewed interest in so-called "multifactor" authentication within the banking industry, which is struggling with an epidemic of online identity theft scams, according to Judy Lin, executive vice president for VeriSign's security services.

As part of the program, U.S. Bancorp will make VeriSign security tokens available to more than 10,000 commercial banking customers. Those tokens will hold a digital certificate that identifies the bearer and will need to be inserted into machines before accessing Web-based commercial banking applications, Lin said.

The Unified Authentication service combines VeriSign-branded eToken USB authentication devices from Aladdin Knowledge Systems Inc. in Chicago with a managed validation service that runs on VeriSign's infrastructure. It also includes software modules that plug into a bank's existing back-end infrastructure. Banks can also choose to operate their own validation server as part of the service, Lin said.

At U.S. Bancorp, the authentication service will be integrated with existing user directory and identity management technology, validating interactions between the bank and its customers. A server operated by VeriSign will handle token validation, but no customer information will leave U.S. Bancorp's network in the process, she said.

VeriSign launched the Unified Authentication service in September as an extension of its Intelligence and ControlSM Services, which offer businesses network security information and tools. User log-in and permission information resides in the customer's user directory but is linked to a unique serial number for a secure token or other authentication device stored on a VeriSign server. Log-in requests by users will be passed to the VeriSign server, where a stored algorithm will validate that the serial number of the secure token or the one-time password is valid for the user requesting access, VeriSign said.

The eighth-largest bank in the country, U.S. Bancorp has over $190 billion in assets and 2,344 offices in 24 states. The bank chose VeriSign's new service for its ability to support many users and different types of authentication tokens, Richard Stephenson, U.S. Bancorp director of information security, said in a statement.

"U.S. Bancorp sees a large audience of different types of users, from high net worth individuals down to students and people with bank accounts," Lin said.

The bank is looking into a similar program for its consumer banking customers, although such a service would likely forgo use of USB hardware tokens, which can cost $20 or more each. Instead, inexpensive solutions such as plastic cards with lists of single-use passwords could be employed, she said.

"We've been working with U.S. Bancorp and other banks to think about ways to deploy very low-cost [multifactor authentication] solutions," Lin said.

Multifactor authentication requires customers to know a username and password and to have another identifier, such as a one-time password, smart card or USB token. The technology can make it more difficult for criminals to access online accounts, even if they captured a user's log-in and password.

VeriSign hopes to expand the appeal of its Unified Authentication service to other industries by partnering with other companies to expand the range of applications and service offerings that are part of the program, Lin said.

"We see this as a single infrastructure to which you can address a variety of needs, from the high-end business-to-business, to low-cost business-to-consumer applications," she said.


Copyright © 2004 IDG Communications, Inc.

Shop Tech Products at Amazon