Strong Authentication for Online Banking: Success Factors

Banks are finally moving past user name and password, but the new strong authentication is not what anyone expected

1 2 Page 2
Page 2 of 2

The question is whether this set of technologies actually puts banks in compliance with the new FFIEC regs. The guidance requires that strong authentication be in place before allowing access to any personal information. That's because if a fraudster is able to access someone's checking account—including all his payment history and images of endorsed checks—protecting that single session from fraud may be beside the point. The fraudster may have something else in mind, like forging checks.

All of which puts banks in a tricky spot. "If you were a big bank weighing all this, would you want to put up an iron wall, or keep your customers' lives convenient and not worry about read-only access that won't take money away from you but might show up somewhere else?" Gartner's Litan asks. "Banks don't absorb the losses directly if someone is just reading information. They don't have as much of an incentive to fix that."

From a regulatory perspective, the FFIEC indicates that examiners will look at all of what banks have

implemented, regardless of whether it falls squarely into the "authentication" bucket.

"The intent is to [have banks] secure those channels a lot more than they have in the past," says Michael

Jackson, chairman of the FFIEC IT subcommittee that drafted the guidance on strong authentication.

"We'll look at all the security layers they have and make a decision at that point."

For better or worse, it's those regulatory drivers that are the force behind the year's long-anticipated

move beyond user name and password. Banks that are ahead of the curve say they are benefiting. At Wells Fargo, executive VP Smith says, "It's definitely having an effect; it's driving fraud cases down and fraud losses down."

In a best-case scenario, the FFIEC's guidance when it comes to two-factor may not so much provide wiggle room that offers an easy way to compliance, but instead will offer flexibility that lets banks adapt as threats and technologies change.

Just consider E-Trade Financial, the one national consumer brokerage and bank that has rolled out

two-factor authentication—but as an option, which means the tokens don't count toward the FFIEC guidance (which the company says it already has covered through authentication layers, again provided by RSA services). In New York City, CIO and Managing Director Greg Framke says he's pleased with the reception that his onetime password tokens are getting and is confident of their business value.

"Customers who have a token feel safer doing business with us over the Internet, and they also feel more inclined to provide us assets," says Framke, noting that customers who opted to use the tokens currently hold more than $7 billion in assets with E-Trade. But he also acknowledges that long term, the tokens actually might not be worth the bother for banks or for their customers.

"As the [fraud] monitoring solutions get more sophisticated, those solutions might one day provide

enough authentication that you won't need a token," Framke says. "We're not there today." ##

Copyright © 2006 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Make your voice heard. Share your experience in CSO's Security Priorities Study.