Inconvenience of two-factor security pushes banks to "single factor plus" for online banking

Inconvenience of two-factor security pushes banks to "single factor plus" for online banking

Summary: For the nation's banking industry, the clock is ticking.  By Dec 31, banks and financial institutions had better move to something more than just user ID and password-level security (known as single-factor authentication) to grant customers online access to their bank accounts or else.

TOPICS: Security

For the nation's banking industry, the clock is ticking.  By Dec 31, banks and financial institutions had better move to something more than just user ID and password-level security (known as single-factor authentication) to grant customers online access to their bank accounts or else. Or else what? Well, or else nothing. Last October, with the nation's online banking infrastructure under severe attack from phishers and other identity thieves, the Federal Financial Institutions Examination Council (the FFIEC) issued stern guidance to American banks to bring the security of their Web sites up to snuff by December 31st of this year.  The FFIEC's guidelines detail the benefits of moving from single-factor security (a form of security based only on "what you know") to multi-factor security (involves "what you have" such as an ATM card or "who you are" based on biometrics) but falls short of making multifactor security a requirement to satisfy by the end of 2006. Instead, the guideline concludes:

Financial institutions offering Internet-based products and services should have reliable and secure methods to authenticate their customers. The level of authentication used by the financial institution should be appropriate to the risks associated with those products and services. Financial institutions should conduct a risk assessment to identify the types and levels of risk associated with their Internet banking applications. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks. The agencies consider single-factor authentication, as the only control mechanism, to be inadequate in the case of high-risk transactions involving access to customer information or the movement of funds to other parties.

In other words, multifactor authentication is on the list of ways to address the problem, but it's not required. The implication is that, whereas authentication was previously carved up into just one,two, and three factors, now, there's someting like a 1b.  It's stronger than single-factor security, but not quite multi-factor security.

stephanielewis.jpgWhy not move to multifactor security in earnest? It's too inconvenient. Not just for the customers of banks who would be forced to use a new security token or some biometric device with their computers, but also for the banks that would very likely end up in a customer support nightmare as a result of trying to roll out such solutions into environments that are far less predictable than the browser-based solutions in place today.  At least that was the conclusion of Stephanie Lewis (photo, left), an industry analyst with Jack Henry and Associates. During my recent visit to RSA Security's usability lab, Lewis was on-hand to talk about how Jack Henry views online banking security.  Jack Henry develops and hosts an online banking solution that's used by more than 1100 financial institutions, many of which are community banks and credit unions.

In many ways, the banking industry is a victim of its own success when it comes to the two-factor security that's a part of all ATM machines. The allure of being able to get cash out of our bank accounts at any time and at just about any place was and still is too strong for it not to be worth the inconvenience of carrying around what amounted to one more credit card (the ATM card) in our wallets. In fact, it was hardly inconvenient at all. So, whatever the banking industry comes up with in terms of equivalent security for online banking had better be no more inconvenient. Unfortuantely however, ATM cards don't work in our computers.  There isn't a place to insert them. We could add a device known as a card reader to our computers by way of our systems' USB ports, but, forgetting for a minute the support nightmare that could create, what must banks' customers do if they end up banking from friends' computers or kiosks at airport terminals? Bring the card readers with them everywhere they go? What if the system has no available USB ports?  What if it's a smartphone? You see? Already, the simplicity is spiraling into complexity.

Another approach might be to issue a different kind of security token for online banking. For example, RSA makes small SecurID tokens that you can hang on your keychain.  The tokens generate a new random number every sixty seconds, and, as long as you have it with you and you put that random number into your bank's login screen when attempting to engage in online banking, you're in (the bank has security solutions behind its firewall that generate matching strings of numbers on the same 60-second intervals, just for you). But there are a few problems with this approach too. Now, in addition to your ATM card, you have to carry yet another token around with you. For most people, that's asking a lot.  And, what if they get lost or you leave it behind when you go somewhere.  Then, you're stuck, locked out of your bank's Web site with no recourse except to find your token, or have it replaced (in quantity, RSA's SecurID tokens cost about $15 each).

chrisyoung.jpgSo, for banks, and their solution providers like RSA, the trick has been to come up with "1b" or "single factor+" solutions: solutions that primarily rely on what you know, but that also emulate, to the extent that they can, what you have (the 2nd factor in true multifactor security). For example, in my podcast interview of RSA's senior vp of customer solutions Christopher Young, I heard about how RSA's solutions use certain techniques involving cookies and IP address that essentially turn your computer into a security token.  For example, one approach is to use cookies, IP addresses and other information (such as last login time) to establish a degree of confidence that a person attempting to access an account is who they say they are.  Young describes a usage case where, if you routinely use the same computer, RSA's solutions can detect that and, in the process, lower the barrier to entry.  But, if you log in from a new system, you may be challenged to enter more information that only you would know before being authenticated. 

The podcast interview, which is of both Young and Lewis is accessible via streaming or by download using the player at the top of this blog entry. Or if you're subscribed to ZDNet's IT Matters series of podcasts, it'll show up automatically in your media player and/or your portable MP3 player (if you have it configured that way).

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I'll bet RSA could design........

    a secureid tag the size of a credit card which would
    run for a year. Also, any programmable device could have a certificate installed to authenticate the login. However, windows would need to be updated to simplify the certificate installation/use process.
    • They already have...

      They already have a credit card-sized token here:

      There are already tokens based on USB-keyfobs - RedHat is pushing such an approach for 2-factor authentication...
    • Been around for awhile

      Work was done in the mid-90's in regards to multi-level authentication for the purpose of creating online payments on the Internet, making use of digital certificates and PKI (public key infrastructure). The payment platforms that came out of this work were largely ignored by the biggest banks, and therefore the banking industry, preferring to maintain the aging ACH infrastructure, which they control. However, this same technology could have easily been used as a method of customer authentication for online banking. Why wasn't it? Primarily because of fears that it wasn't "convenient".
  • Protected by UseMyBank

    UseMyBank was the first company in the world to faciliate "Instant Online Debit Payments" back in 2002 with a good funds model of 99.9999%.

    UseMyBank Services Joins NACHA Internet Council.,

    Brian Crozier
    VP Business Development
  • They're not gonna do it

    Banks are notorious for their sloppy handling of their customers' money - and they're not likely to use multi-level security or anything else that they find inconvenient. Most likely, they'll come up with some bogus "solution" like they did back in the 1980's when examiners required them to have backup plans for their data centers. (The "solution" was phony 'reciprocal agreements' that were very unlikely to be viable, but the examimers let them off the hook for over a decade).

    Our previous bank, CNB in Waxahachie TX, still refuses to refund funds that they deducted from our business account when they received ACH transactions from AOL - although the transactions had an unknown person's name associated with them. Seems that we didn't notify the bank "in time" so we're S.O.L. That same bank charged my daughter with several hundred dollars in fees due to their sloppy overdraft policies (they decided to allow overdrafts, while charging outrageous fees - they didn't notify her of this change, but the usual "S.O.L." applies here as well.

    The banking system in the U.S. is out of control, and only when consumers demand legislation to hold them accountable will we be able to trust that these institutions are actually good stewards of our money.
  • Single Factor Plus Plus

    [Full disclosure: this comment refers to technology developed and marketed by my company. However, I think that you will find that we have a serious contribution to make to the strong authentication debate.]
    There is another very unique authentication technology that you should be aware of. It is based on peoples' innate ability to recognize familiar faces and has characteristics from two conventional authentication classes: knowledge factors and biometrics. I leave you to judge whether it qualifies as a new class of authentication (we call it a cognometric or recognition-based authentication) and as a true second factor or as single factor plus. Please check it out at
  • Too much fuss

    The solution is simple: the bank sends an email to the user's registered email address to obtain authorization for the requested transaction.

    Give the confirmation notice an expiration period and request some random piece of registered info to increase the security of the email in case the account holder's computer system were to fall into the wrong hands and automatic logon was enabled. Broadcast the receipt of the confirmation to the user's other registered email account(s) or telephone number(s) so, even if the bad guy made it through the site confirmation and email authorization, the user could still be able to mitigate loss.