Home » Identity & Access » Access Control

In Depth

Strong Authentication for Online Banking: Success Factors

Banks are finally moving past user name and password, but the new strong authentication is not what anyone expected

By Sarah D. Scalet

November 01, 2006 — CSO — Like a lot of people, Washington Mutual's Dave Cullinane thought the time finally might be ripe for retail banking customers to start logging on by using tokens or other hardware-based authentication.

Regulators have given banks until the year's end to strengthen sign-on beyond user name and password—that woefully inadequate control that phishers have been bilking for years. If fraud losses weren't enough of a business driver, maybe the U.S. Federal Financial Institutions Examination Council (FFIEC) regs would be. And surely at least Washington Mutual's technically sophisticated home crowd in Seattle would be happy to dangle a dongle from their key chains.

But the idea went over about as well as decaf in the cockpit of a 6 a.m. flight to San Jose. More than 90 percent of the participants in several focus groups said they didn't want to use a token to access accounts online or by phone.

"The response we got was, 'Don't tell me I have to carry something to get access to my money. It's your job to protect my money, and if you don't do your job I'll find someone who will,'" says Cullinane, who is CISO of Washington Mutual, the nation's largest savings bank. "It was rather startling to get that from them."

From coast to coast, focus groups conducted by U.S. banks large and small must have said the same

thing. While tokens have long been used by commercial banking customers, an anticipated roll-out of hardware-based authentication to consumers has largely failed to materialize. Why? Customers say they don't want to bother; and customers, as legend has it, are always right.

Instead, to comply with new banking regulations and stem phishing losses, banks and the vendors who serve them are hurriedly putting together multipronged strategies that they say amount to "strong" authentication. The emerging approach generally consists of somehow recognizing a customer's computer, asking additional challenge questions for risky behavior and putting in place back-end fraud detection. But whether these layers of security combine to create something better—or worse—than traditional two-factor authentication is still anyone's guess

"I wouldn't discount anything because we're in that evolutionary stage when it comes to two-factor authentication," says Howard Schmidt, former White House adviser on cybersecurity and a longtime

proponent of tokens. "All these [emerging authentication methods] have the potential of raising the fence to keep out fraudsters. The proof will be once these things are fully vetted. That's what will separate the novel solutions from those that do a lot to enhance long-term security."