Watchfire GomezPro -- Online User Authentication: Verifying the New User

Phishing attacks and other efforts to steal user names and passwords generate a lot of attention and banks must balance ease of use with security needs as they weigh two-factor authentication and other means to strengthen log-in security. But banks also must pay attention to what happens before a customer becomes a regular online user. Namely, banks need to ensure the way customers register for online access in the first place protects the bank and the customer while, proving not so hard to use that the customer ultimately gives up on the online channel. This article will focus on four priority areas to which banks and other financial services providers (FSPs) must pay attention during the online registration process: registration codes, authentication sequence, error messaging and failure lockout mechanisms.

We'll begin with registration codes, which come in many shapes and sizes. While the industry standard is to allow immediate access, a handful of firms still require users registering online to go through a multistage authentication process that requires the offline step of waiting for a registration code (e.g. initial credentials) to arrive by mail to the address on record.

A best practice in registration is to establish a registration code at the point of account opening. This code verifies user identity. Citicards is one FSP that uses in its registration process a registration code set by the customer when applying for an account. Short of a registration code, however, the FSP requires the user to enter multiple pieces of personal or account information, such as ZIP code, account number, Social Security number (SSN) and date of birth. Firms asking for such information should be careful not to rely on personal information that can be stolen or intercepted from a mailbox.

It's not just the registration code or other information required for registration that matters, but the sequence the site follows in asking for this information. Most FSPs today employ a multipage authentication sequence to defend against brute force attack programs that mount repeated attempts to crack the security of the registration process. In general, a properly designed authentication sequence requires customers to pass one layer of authentication before learning what additional information will be required to gain access to the secure site.

When implementing a multipage initial authentication sequence, FSPs must be careful that they do not allow the application to act as a tool for fraudsters to gather information about their customers. This concern raises an issue about error messaging. Ideally, a multipage registration process requires the user to correctly enter at least two pieces of verifiable personal information on the first page, which, despite the cost to user experience, relies on error messaging that does not indicate which piece of personal information was entered incorrectly.

Take for example a larger auto insurer that asks only for a policy number on the first page of its registration process. A user can enter random policy numbers at will until generating a page that asks for an SSN rather than a page reporting an error with the policy number. The fraudster, at this point, has one piece of information in his pocket for future use. This attack reveals a danger hidden in some registration processes: An attacker can steal information without successfully registering.

This kind of attempt could be stalled by a well-designed lockout measure prohibiting future attempts after a given number of failed attempts. While the aforementioned insurance carrier does inform users that they must call customer service after four failed attempts, the user is still able to return to the homepage for additional attempts, thereby continuing the process of accumulating policy numbers simply by trial and error.

Fidelity is another example of an FSP that requires only one piece of information on the initial page. In Fidelity's case, the information is the customer's SSN. However, Fidelity's approach to flagging errors differs. Fidelity allows the user to reach the second page regardless of whether the user enters a valid SSN. Only if the totality of the information entered on the first two pages contains an error does Fidelity then return an error alert. In this way, Fidelity does not indicate whether the entered SSN matches that of a Fidelity customer.

Though user error can result in multiple failed registration attempts, so can a brute force attack involving repeated attempts to crack the registration process. FSPs typically respond to this threat by implementing lockout procedures. These lockout procedures require the customer to call customer service, and the strategy can be costly for the FSP and inconvenient for the user. A more intelligent approach may include an exponential lockout mechanism that allows the user to retry the process after a set period of time that increases with each successive failure. The user is spared convenience, the FSP saves money and any brute force program will still stall out -- after five or 10 failed attempts, each successive failed attempt will result in hours or even days of lockout.

The online registration process is an area of significant concern for FSPs that want to increase adoption rates and encourage use of online services that lower customer service costs, and increase adoption and customer loyalty. Any security measure that negatively affects online registration completion rates is a poor foundation on which to build an online relationship with customers. At the same time, the relationship cost of allowing a professional or known-party fraudster to access the account is significant. By focusing on the four aspects of online registration we've reviewed here, many FSPs have an opportunity to improve the security of their online registration processes in a way that continues to promote adoption and usage of the online channel.

Tim Carpenter is an industry analyst with Watchfire GómezPro. Danny Allan is a security analyst with Watchfire in Waltham, Mass.