Technology Advances in Two-Factor Authentication

Safe, Sound, and Secure: Technology Advances in Two-Factor Authentication

Swann, James

Protecting personal customer information has long been one of the highest priorities for community banks, and the stakes have become much higher with the proliferation of Internet banking.

By the end of 2006, all banks will have to move to two-factor authentication, according to October guidance from the Federal Financial Institutions Examination Council.

While technology might be aiding fraudsters, it is also hard at work helping banks protect themselves. A number of companies are already active with two-factor solutions, each one offering a unique spin on security.

Computer ID

The keys to successful two-factor authentication, according to Jim Maloney, chief security executive for Corillian, are convenience and cost-effectiveness. “We began to look into two-factor authentication in 2003. We said ‘no’ to hardware or biometric solutions, as they proved to be expensive and inconvenient. Software solutions were also too expensive, plus there was the cost of maintenance and updates. Finally, we settled on distinctive behavior,” Maloney said.

Corillian’s system, Intelligent Authentication, recognizes an individuals computer based on an access signature from the HTTP and TCP headers. Out of the signature, Corillian is able to analyze the time of day, the user agent string, what type of browser is being used, and the IP address. “We can actually pull off more things from the access signature, if we want,” Maloney said. Every computer has a unique signature, and if the system gets a computer it doesn’t recognize, it prompts the user with challenge questions.

“We can vary the challenge questions, perhaps even do out-of-band authentication. For instance, we could call you, give you a PIN number, and then you’d have to say it back into the phone and get your voice authenticated before you went any further,” Maloney said.

Picture Perfect

At PassMark security, two-factor authentication is a two-way street. The system makes use of the customer’s computer as a second factor, obviating the need to carry around tokens or install software. At the same time, a picture is used to confirm the legitimacy of the banking Web site. “Customers choose a unique picture, and when they access the site, the picture will pop up so they can be sure that they are on the right site. Apart from the picture, all the security features are behind the scenes,” said Steven W. Klebe, vice president, sales and business development at PassMark.

The banking industry is in a classic bell curve when it comes to two-factor authentication, according to Klebe. “In this case, the bell curves been compressed. There are still a number of financial institutions that haven’t gone to two-factor authentication,” he said.

Taking the Next Step

There is little question that the FFIEC guidance will have a huge impact on the financial industry, said George Waller, executive vice president at Strikeforce Technologies. “If your bank is not in compliance with the guidance by the end of 2006, you’ll go on a watch list. It’s a very aggressive deadline, only 13 months. But at the same time, consumer confidence is plummeting in doing online transactions. The impact on the financial side is huge,” Waller said.

“We’re agnostic to the authentication method, but partial to using the phone. Using a token with a phone call might work best,” Waller said. All told, Strikeforce offers a choice of 10 authentication devices, including cell phones, PDAs, tokens, and biometric devices. Authentication can be performed via phone by calling a user and having them enter a PIN into the phone, or Strikeforce can turn a PDA or computer into a one-time password generator.

Copyright America’s Community Bankers Dec 2005

Provided by ProQuest Information and Learning Company. All rights Reserved