Amid increasing pressure to protect customers online, some of the largest global banks are turning to out-of-band authentication -- a method of verifying a user's identity using a channel other than the one being used to facilitate the transaction -- to fortify their Web banking services. Bank of America (Charlotte, N.C.; $1.3 trillion in assets) is rolling out a solution that enlists customers' mobile phones to facilitate authentication, while London-based HSBC ($2.15 trillion in assets) is investigating a similar out-of-band authentication solution.
Some experts contend that out-of-band authentication represents true multifactor authentication as mandated by the Federal Financial Institutions Examination Council, though the FFIEC does not recommend any particular technology. Experts say current, prevalent authentication methods -- such as Bank of America's SiteKey, which uses an image, a brief phrase and challenge questions for mutual authentication -- are not doing enough to combat phishing and identity theft. They note that with out-of-band authentication, especially via a mobile phone, even if a criminal has stolen a consumer's account number and password, there is little chance the perpetrator has access to the consumer's cell phone as well.
To enhance online security, Bank of America introduced SafePass. To register for the out-of-band authentication service, customers simply add their mobile phone numbers to the accounts overview section on Bank of America's Web site. When a customer initiates certain online transactions, the user will be prompted to enter a six-digit code, which is sent via text message to the user's mobile phone. The code is required for transactions such as money transfers for amounts greater than current limits, adding new bill pay payees or adding new accounts for online transfers. The code expires within 10 minutes of being issued or immediately after it is used.
According to Betty Riess, spokeswoman for Bank of America, customers will continue to use SiteKey in addition to SafePass. "We would expect higher adoption [of SafePass] among customers who are very security-conscious and who desire to transact higher dollar transfers than currently permitted."
What's in Your Wallet?
The bank also is developing a separate SafePass method that utilizes a wallet-size card. "The card option is initially available to the bank's online brokerage clients this year and won't be available to consumers until some time next year," Riess says. "For consumers and small-business customers, ... SafePass is now available via cell phone."
Meanwhile, HSBC is investigating its own mobile-based out-of-band authentication system for online banking. HSBC's system, however, delivers codes via a voice call rather than a text message. HSBC already uses token-based authentication provided by Vasco (Zurich-Flughafen, Switzerland) for its U.K. corporate customers.
According to a survey conducted by RSA (Bedford, Mass.), the security division of EMC, and released in January, 91 percent of respondents said they were willing to start using a new authentication method beyond the standard user name and password if banks were to offer it. Seventy-three percent said they would like their bank to start using risk-based authentication, which includes out-of-band authentication.