• United States



by Paul Kerstein

BofA Hits Authentication Delay

Oct 21, 20053 mins
CSO and CISOData and Information Security

The Bank of America Corp.’s (BofA) roll-out of a stronger userauthentication technology has hit a snag and is now expected to becompleted in the early part of 2006, several months later thanoriginally planned.

The Charlotte, North Carolina, bank had expected to make a newauthentication service, called SiteKey mandatory for all of the bank’s14.3 million online banking customers sometime this month, but thatdate has now been pushed back to early 2006, according to Betty Riess,a spokeswoman for BofA. “We’ve made some adjustments in terms of therollout schedule,” Riess said.

She declined to comment on what exactly had caused the delay, sayingonly that “sometimes when you get to actually doing the implementation,you make adjustments.”

Still, a large number of the BofA’s U.S. customers are already usingSiteKey. The system presently is in use in the Southeast, Midwest, andSouthwest, and is expected to be in use in California, the Northeastand Northwest by year’s end, Riess said. Most customers will be forcedto adopt the system by year’s end, with the final two states –Washington and Idaho — going online in early 2006.

Based on software developed by Menlo Park, California’s PassMarkSecurity Inc., SiteKey is able to recognize when a Bank of Americaaccount is being accessed via an unknown computer. It can then generatea predetermined “challenge” question, adding another level of securityto the process of logging in. The software also lets users choose aspecific image — a photograph of a dog, for example — that can thenbe re-shown to users in order to reassure them that they are actuallyvisiting the Bank of America Web site, and not some other sitemasquerading as

The SiteKey rollout may put BofA ahead of the curve on new federal regulations, which are due to take effect next year.

Last week, the Federal Financial Institutions Examination Council(FFIEC) released guidelines calling for U.S. banks to use a strongerform of authentication than the username and password logins typicallyused for online banking today. The guidelines call for Internet bankersto now add a new form of authentication to their online banking systemsby the end of 2006. They do not spell out what exactly what thistechnique must be, leaving banks some leeway to develop their ownapproaches to stronger authentication.

Though Riess declined to comment on whether or not the BofA’s systemmet these requirements, PassMark believes that its software qualifies,according to Mark Goines, PassMark’s chief marketing officer.

In addition to the BofA, PassMark’s software is being used by StanfordFederal Credit Union, in Palo Alto, California, Goines said. Onlinebrokerage Scottrade, Inc. is also in the process of rolling out thesoftware, he added.

By Robert McMillan – IDG News Service (San Francisco Bureau)