Organizations around the world, particularly those with large, online consumer user communities such as banks, brokers and retailers, are under relentless attack by global identity thieves. Unfortunately, given the wide-scale vulnerability and speed with which these thefts can occur and be exploited, online identity theft in banking poses a huge risk for the banking system as a whole and is eroding consumer faith and trust.
Banking regulators have recognized this growing problem and as a result are increasing the pressure on banking organizations to take appropriate action. For example, in October of 2005 the Federal Financial Institutions Examination Council (FFIEC) issued guidance titled "Authentication in an Internet Banking Environment." The FFIEC guidance directs banking organizations to make risk assessments and to use "stronger" authentication, where appropriate, to make it harder for the thieves to either get access to consumer accounts or take advantage of this access once they are "given" it.
Strong authentication is not a new topic in the financial services industry. In fact, most financial organizations have been using some form of strong authentication for years, mostly with employees and business customers. However, strong authentication for consumer banking has many difficult challenges which include the potential scale of the deployments, the uncertainty of acceptance by consumers, and, of course, the cost of deployment and management.
Fortunately, and unfortunately, there is no shortage of strong authentication approaches and vendor offerings from which to choose, ranging from one-time password systems to risk-based authentication schemes and transaction anomaly detection systems that require little or no involvement of the user. Other authentication technologies that are often considered in multiple forms are smart cards, biometrics and grid cards.
What seems clear is that no single strong authentication approach is yet emerging as the winner in the global banking industry. However, most banking institutions appear to be deep into the investigative mode and early deployment stages. The tradeoffs of total cost of ownership, user convenience and acceptance, and strength and effectiveness, along with the vast number of technically viable authentication options on the market, are making the selection process tricky.
A key element of a strong authentication initiative--where consumer-issued credentials are part of the solution--is the management and integration of the credentials themselves. For example, organizations that issue devices such as tokens or smartcards to their consumers will need to manage distribution of the right devices to the right people, procedures for handling lost or broken devices, how they will enable access to the applications, and how they will expire the devices when the users' access entitlements are no longer appropriate. This is where the link between strong authentication and identity and access management (IAM) systems becomes clear.
IAM systems provide automated management of user identities and their credentials to enable centralized control of user access to applications. These capabilities are critically important to support the rollout and management of strong authentication systems, particularly when done for large user communities where manual administration and custom integration is not economically viable. Just as users and their ever changing relationships with an organization must be managed, so do the strong authentication credentials associated with those users. In addition, the targeted applications need to be enabled to accept these strong authentication credentials. IAM systems, particularly those that provide broad support for environments from the Web to the mainframe, can enable organizations to automate and ease these potentially cumbersome processes.
While there is no "one size fits all" approach when it comes to leveraging stronger forms of authentication, this article has touched on a few of the areas that companies must consider as they move beyond passwords. This shift will help positively influence consumer confidence in online banking, but at the same time will introduce new costs and complexities for IT if not managed properly. In order to minimize these management challenges companies must implement their strong authentication initiatives as a cohesive part of their enterprise identity and access management strategy. Only then will strong authentication become your friend.
Matthew Gardiner is Senior Product Marketing Manager for Identity and Access Management Solutions at CA. CA provides a free white paper entitled, "FFIEC Compliance: The CA Solution" which can be accessed at www.ca.com.
On The Net