From simple to complex, financial institutions have a bounty of choices
By Marisa Torrieri, Contributing Editor
What kind of value will a financial institution get for its investment in strong authentication? For FIs, it’s become a burning question, thanks to federal guidance that recommends they boost the strength and security of their online banking systems by the end of 2006. In response, a growing number of tech vendors are rolling out highly sophisticated products.
FIs that seek to increase online banking security or widen their existing range of digital security products are nearly overwhelmed with choices. Recent guidelines by the Federal Financial Institutions Examination Council (FFIEC) suggest a range of options. In the FFIEC report, “Authentication in an Internet Banking Environment,” FIs are urged not only to assess their risks of fraud, but to consider strong-authentication methods such as one-time password generators, PKI-based systems, and smart cards.
Each suggested method comes with advantages and disadvantages, convenience and cost considerations, says Doug Graham, a banking security consultant for BusinessEdge Solutions, Inc.
Some strong authentication offerings aren’t quite as strong as others, he warns. How well a bank prevents fraudulent activity with its authentication system depends on the success of three factors commonly used to authenticate:
- the knowledge factor (something you know, like a password)
- the possession factor (something you have – such as a token)
- the self factor (something you are – such as a fingerprint).
Strong authentication generally combines factors together (e.g. a possession factor plus a knowledge factor) and thus can be considered multi-factor authentication. “Generally speaking the more factors involved, the stronger the security,” Mr. Graham says.
Here are some of the most feasible ways and methods of strong authentication, which analysts suggest banks consider adopting:
Hard token authentication:
This method of strong authentication is based on the use of palm-sized devices known as One-Time-Password generators. Some are time-synchronized, spitting out a new password every 30 to 60 seconds. Others are event-based, and spit out a “tokencode” when the user presses a button or enters a PIN number. The actual hardware device is small enough to carry on a keychain (some are credit-card sized, notes Mr. Graham), but for a number of reasons, they haven’t caught on in the United States. One problem: the lack of a single open standard creates a problem for users with multiple accounts. They don’t want to carry around a bunch of tokens, says Mr. Graham. Additionally, they are still a bit cost-prohibitive ($5-$10 per device), says George Tubin, senior analyst for the Needham, Mass.-based TowerGroup. Some companies are using a pricing model, which lowers the cost to the $2-per-user ballpark, with an additional, ongoing per-usage expense.
For the mobile user, soft tokens are ideal. These are actually the functional equivalent of hard tokens, but run as an application on an existing device such as a PC, PDA, or cell phone, says Stu Vaeth, chief security officer for soft token maker Diversinet. Because of their lower maintenance cost (and lack of hardware cost), they’re a cheaper alternative to hard tokens, he contends. Most “soft tokens” work in relatively the same format with some variation: Diversinet’s MobiSecure soft tokens, for example, generate OTPs on a mobile device such as a cell phone, providing strong two-factor authentication for online transactions. “(It is more secure) since it requires the submission of a dynamic password generated on a separate device held by the user,” adds Mr. Vaeth, “rather than relying only on a static password that can be stolen and re-used to perform fraudulent transactions.”
Public Key Infrastructure (PKI):
Because it enables mutual authentication (between the client and the server) PKI technology is the “killer app” of strong-authentication, says BusinessEdge’s Graham. The technology, defined by online encyclopedia Wikipedia as “an arrangement which provides for third-party vetting of, and vouching for, user identities (via keys contained) in certificates.” But, PKI can be challenging and costly to implement. To use the technology, a computer network must be equipped with smart card readers that can mutually authenticate information, says Mr. Graham. Implementation costs for the required infrastructure – certificate authorities, smart cards, and readers – have traditionally been prohibitive for many organizations. The good news: the technology is ready to go, card costs are dropping, and readers are being standardized in some laptops, says Mr. Graham.
Biometric authentication refers to technologies that measure and analyze human physical and behavioral characteristics for authentication purposes. Examples of physical characteristics include fingerprints, retinas, facial patterns, hand geometry, and voice. Biometrics is a favored authentication method, but it is not feasible for all bank customers, because it requires the use of readers or scanners to verify the biometric template. “Retinal scanners are great, but it will be a long time before I have a retinal scanner on my computer,” Mr. Graham says. An exception to this, he suggests, is voice authentication. “Voice is good because it is effective and doesn’t require consumers to use any additional hardware,” Mr. Tubin adds. “Everybody has a telephone.”
Risk-based authentication technologies:
These technologies are “a cost-effective, low-impact alternative to hardware-based ID tokens,” says Tower Group’s Tubin, in a report comparing different security applications. In his report, “No More Straw Houses: The Feds Issue Guidance on Online Authentication,” Mr. Tubin praises risk-based authentication systems because they are invisible … requiring no behavioral changes, software downloads, hardware devices or multi-step login procedures. When a user goes to log into a bank session online, they are accepted based on perceived risk and a series of observations (such as their location, computer terminal or time of login). Bank of America uses this type of risk-based solution for its SiteKey application developed by PassMark Security, Mr. Tubin points out. As with most solutions, price is based on a number of factors, such as the number of users and licensing agreements. It might work out to $1 per user, says Mr. Tubin, and decrease to 60 cents per user transaction once a bank has passed a given user threshold (i.e., 500,000).
Simple Challenge Questions:
Want to strengthen online authentication as inexpensively as possible? Start using basic challenge questions (pre-answered, non-standard questions such as “what was your favorite teacher’s last name?”, or “what color was your first car?”). This can be the cheapest means to strengthen security and can be initiated by a bank’s in-house IT department. Some banks are doing this as a bare minimum, says Mr. Tubin. But, the method provides only slight protection beyond a username and password methodology, and can annoy customers if they have to answer a challenge question every time they log into their account. Furthermore, “it’s something that could be phished easily” using keyboard loggers or spyware, he adds.
Look before you leap
No matter what their size, and whether they’re working independently or with software providers, financial institutions that want to implement a multi-factor, strong authentication solution should keep abreast of industry progress.
In 2006, huge strides are being made to create open frameworks for strong authentication, and so a greater range of products will be interoperable. The Initiative for Open Authentication (OATH) and the Liberty Alliance, just two groups on the forefront of such developments, have already produced open specifications they hope to expand.
Mr. Tubin suggests banks pursue the tried-and-true method of vetting by seeking references and working with trusted technology providers. Most major players in the strong-authentication space offer pilot programs, and will work with financial institutions to install software or hardware and test it before implementation, he says.