Home » Identity & Access » Access Control

Strong Authentication for Online Banking: Success Factors

Banks are finally moving past user name and password, but the new strong authentication is not what anyone expected

3) Challenge/response component. A first-time website visitor is also asked to answer several questions from a list of questions provided by RSA that, theoretically, should be easy for him to remember but hard for a phisher to learn—typically things like the high school he attended or the first street he lived on. If Zionsbank doesn't recognize his computer, it prompts him with one or more of these challenge questions and won't let him in until he answers correctly.

"We're trying to balance increasing security for customers on the site while maintaining usability and portability," says Wood, who hasn't entirely ruled out traditional two-factor authentication for the future. Rather, his goal was to put something in place that can grow. For instance, he could set up the RSA system to incorporate out-of-band communication for certain kinds of transactions—perhaps requiring, say, a customer doing a large funds transfer first receive a passcode at a predetermined phone number.

"This establishes the foundation," Wood says. "As we want to, or as the threat necessitates, we can turn on additional features."

Finding Problems

The big question on Wood's mind—and everyone else's—is how quickly the threat landscape will change. And that depends largely upon what happens once the phishing community really starts trying to cut in on the dance.

The effectiveness of device authentication, for instance, varies widely. Don Phan, a research analyst at Javelin Strategy & Research, puts cookies on the lower end of the sophistication scale, along with

solutions that look at a computer's browser, other installed software, basic settings or IP address. More sophisticated solutions can do a BIOS scan on the motherboard and gather serial numbers.

When coupled with something the user knows, like a password, any of these types of device authentication, technically, constitutes a second factor for authentication—something the user

has, namely, a computer. But there are two main problems with authentication based on a computing device.

First, portability: Banks have to decide whether they want to provide a back door for customers who are logging in from a different computer than usual. Do online strategists want to let someone log on from a work computer or his mother-in-law's house? If so, they'll have to fall back on the other security "layers," like the challenge questions.

The second problem is that, to varying degrees, any of the device authentication methods can be defeated, spoofed or stolen. Second-factor authentication based on a cookie in a Web browser is especially troubling to some—and not only because some users don't allow cookies to be saved.