The FFIEC's October guidance on authentication in electronic banking calls for banks, by the end of 2006, to strengthen their security measures for online transactions and access to sensitive information. But the guidance stops short of recommending any specific solution. Instead, it goes through a range of possibilities as to potential security measures, leaving it to the banks as to which ones to adopt.
The suggested techniques include shared secrets, USB tokens, smart cards, password-generating tokens, biometrics and out-of-band authentication. While implementations of virtually all of these technologies can be found somewhere in the world, U.S.-based financial institutions have been slow to adopt authentication technologies that require the user to carry a physical device. "Most authentication solutions are onerous," says Steve Klebe, vice president of sales and business development, PassMark Security (Menlo Park, Calif.). "Most were designed for corporate environments where you can force somebody to do whatever it is you want them to do."
For example, with customers having to authenticate with many different providers, the prospect of separate hardware "tokens" for each provider is a daunting one. "Here, we're talking about customers who have lots of choices," adds Klebe. "The average consumer's not going to want to carry around a pocket full of tokens."
Watching the Transactions
Thus, banks have gravitated towards passive, server-side modes of defense. One approach uses Web development techniques such as "secure first-party cookies" and "Flash shared objects" to put a device ID on customers' PCs. This technique, known as "Internet Protocol Address Location," or "IP Intelligence," is being adopted by many vendors, including PassMark. With it, the computer itself, rather than a separate device such as a token or smart card, becomes the second factor for authentication. "We validate the presence of the device ID through forensic analysis on the machine and the network," explains Klebe.
Then, factoring in the behavior of the user, the PassMark system calculates a real-time risk score for each login. "The financial institution gets to decide whether they want to let the person in, or do supplementary authentication, [e.g.] ask them an additional challenge question," says Klebe.
PassMark also uses the phone as a method of verifying that the person initiating a suspicious transaction is the rightful owner of the account. "We don't believe it would be practical to call out to someone's telephone every time they log into an ordinary online banking session," notes Klebe. "We only do it [when we have] a transaction that looks suspicious."
From Flash to Chip
Nevertheless, other vendors have found the phone to be an extremely practical authentication method. Using SMS messaging, banks can generate one-time passwords valid only for a single banking session, and have them sent directly to a mobile device as part of the login process. Alternatively, smart cards, USB tokens or dedicated-use tokens can also act as the source for one-time passwords. To that end, Diversinet (Toronto), which is currently in the pilot phase of a rollout with a Canadian bank, has announced partnerships with manufacturers Gemplus and Sandisk. "Rather than having a separate hardware token you're carrying around, you use your mobile phone or PDA as your strong authentication token," suggests Stu Vaeth, chief security officer, Diversinet. "It's not another device, but a software client on your phone."
"The trick there is just making it work on a whole range of clients," adds Vaeth.
Indeed, in the forseeable future, a password-generating application may reside on a flash-memory card that can be plugged into several interoperable devices, Vaeth predicts. But flash memory, which essentially is just a storage medium containing an encrypted file, may well be superceded by IC-based smart cards incorporating not only encrypted storage, but also a miniature CPU that can provide stronger defense against hackers.
One firm advocating the smart card approach is Axalto (Austin, Tex), which uses smart card technology as part of several form factors for authentication devices: PC-based card readers; handheld card readers; USB devices; one-time-password display devices; and mobile phone applets. "One device may not fit all needs," says Francois Lasnier, vice president of banking for Axalto (Austin, Texas). "If we deploy the same devices to all customers without asking [them] how they want to do two-factor authentication, it may not be the best play."
From a security standpoint, the smart card solution seems to be good enough for the government. Axalto has been providing 6.5 million smart cards to the U.S. Department of Defense, and has also worked with blue-chips including Microsoft and the oil majors. Indeed, in the company's internal deployment of smart cards, Axalto employees cannot access e-mail without using a smart card. "Initially, the reaction is negative for the first few months," relates Lasnier. "After that, people go beyond accepting it, and realize the security they derive out of it. It becomes a normal, natural process to use the technology."
The question remains, though, as to whether the U.S. consumer will accept the tradeoff. In other countries, they have. "There's a feeling that people will not understand the technology, or will have a tough time adopting it," says Lasnier. "We are not seeing that – there are a lot of cases of consumer deployment happening in Europe, U.K. and Switzerland."
"The customer reaction to that is very positive," he adds.
On the Net: