Home » Identity & Access » Access Control

Strong Authentication for Online Banking: Success Factors

Banks are finally moving past user name and password, but the new strong authentication is not what anyone expected

In the meantime, what changes are online banking customers likely to see? Not a whole lot. And for the banks, that's precisely the point. If they don't make it easy for their customers to do online banking, their competitors surely will. Explains Jim Smith, executive vice president of Wells Fargo's Internet

Channel and Products: "What we're trying to do is not get in the way of the customer experience."

A Layered Approach

A year ago in October, the FFIEC released new guidelines requiring banks to enhance online and telephone authentication by the end of 2006. At first, the FFIEC guidance was widely expected to usher in a new era of two-factor authentication for online consumer banking. On closer inspection, though, observers noted that it actually prescribes "multifactor authentication, layered security or other controls reasonably calculated to mitigate those risks" in cases where single-factor authentication is not enough. Analyzing the specifics of the guidance in these pages, CSO Senior Editor Scott Berinato wrote, "That's enough wiggle room for a conga line." (For more on the FFIEC guidance, see Second Thoughts on Second Factors

The conga line is now in full swing, and to understand the direction it is headed, just take a glance onto the dance floor of Zions Bancorporation, a fast-growing regional bank based in Salt Lake City that had 2005 revenue of $2.35 billion. There, Senior VP and CISO Preston Wood is overseeing a technology deployment that a year ago would have been considered groundbreaking, but that now has become a typical approach for a Fortune 1000 bank.

Wood is rolling out several elements of an RSA suite called Adaptive Authentication—none of which is the vendor's signature SecurID token:

1) Device authentication. The first time a banking customer logs on, Zionsbank.com places a small cookie or Macromedia Flash object (similar to a cookie but stored in a different place on the hard drive) on his computing device. The site also records details of the computer, from its IP address to the type of browser used to the time-zone setting. Then, each subsequent time the customer logs on, the website matches these details against what it has on record.

2) Mutual authentication. The customer also picks an image that he will use to authenticate the site. When Zionsbank recognizes his computer, the image appears, giving the customer some measure of assurance that he is not at a spoof site. This method was pioneered last year by the Bank of America.