Home | Newsletter | Contact Us

Two-Factor Authentication for Online Banking

February 28, 2006

New Regulatory Guidance

Regulatory guidance issued by the Federal Financial Institutions Examination Council (FFIEC) in October, 2005 mandated that financial institutions replace single-factor authentication methods with multi-factor authentication for online banking applications by the end of 2006. Financial institutions and online banking service providers must act quickly if they are to be in regulatory compliance.

What is
Two-Factor Authentication?

Single-factor authentication can consist of any one of three factors:

  • Something you know. This is the most common single-factor authentication method consisting of a user ID and password, pre-shared secret or a challenge-response question.
  • Something you have. This can be a certificate installed on a computer or token, a token that generates one-time passwords, smart card, or a scratch card with one-time passwords.
  • Something you are. This includes biometric measurements such as fingerprint, hand geometry, retina or iris scans or facial geometry.

Multi-factor authentication methods combine 2 or more of the factors above. Some examples would be user ID combined with a smart card, a user ID and a one-time password, or an ATM card with a PIN.

What Are the Choices?

FIL-103-2005 outlined eight possible methods of two-factor authentication.

  • Shared Secrets
  • Tokens – including USB Tokens, Smart Cards, and Password-Generating Tokens
  • Biometric devices
  • Non-Hardware-Based One-Time-Password Scratch Card
  • Out-of-Band Authentication
  • IP Address Location and Geo-Location
  • Mutual Authentication

Some of the above are more practical than others. Issues of training for customers and employees, distribution of hardware, management, convenience, ease of use, and cost all must be considered before choosing a solution. Below, we summarize several of these options and discuss their pros and cons.

Tokens

The two common types of tokens are USB tokens and dynamic password tokens.
USB Tokens: These devices are about the size of a key and plug into the USB port on a PC. The token contains the encryption keys that will be used during the online banking session. These are normally combined with a user ID and password for two-factor authentication. This method of authentication is quite handy to use unless you have to crawl under your desk to get to the USB port on your computer or your computer does not have a USB port. The USB token is easily moved from one computer to another, thus making it easy to access online banking from multiple locations.
Dynamic Password Tokens: These devices are normally a credit card-size device or key-fob device with a small LCD display. A one-time password is displayed on the device and changes every few seconds. The customer enters a user ID and the one-time password from the token. If the password is intercepted by a phisher or keylogger, it doesn’t matter: the password will change as soon as the last one was entered. One disadvantage is that some customers will find it difficult to enter the one-time password before it changes, particularly the elderly and disabled. Special attention may be required to adequately train these individuals so that they feel comfortable using the device. In addition, extra expense, inconvenience and transaction delays must be expected due to lost or stolen tokens.

Mutual Authentication

One reason that phishing attacks are successful is that a customer cannot determine whether the website they are at is the institution’s actual website or a phishing site in Romania. Mutual authentication, sometimes referred to as “two-way” authentication resolves this issue through a process where the customer’s identity is authenticated by the online banking website, and the identity of the online banking website is authenticated by the customer.
One method of authenticating the website by the customer is through the use of pictures. As part of the customer registration process, a customer selects or shares an image and/or message. Later, when they subsequently login, the image and/or message is shown to them. If the correct image/message is displayed at login, the customer knows that they are at their institution’s actual website. If the image/message is not correct, they know that they are at a spoofed website.
Several vendors provide mutual authentication technologies, including PassMark™ and  Entrust IdentityGuard. PassMark uses artificial authentication intelligence to make real-time fraud decisions based on device recognition and shared data. Based on the Device ID plus a shared fraud data network PassMark’s real-time risk management engine uses customizable and self-learning algorithms to silently categorize visitors into three categories: “Good,” “Bad,” or “Uncertain”.  Online-banking service provider Certegy Card Services, recently merged with Fidelity Information Services, offers PassMark™ picture-based mutual authentication. In the words of Certegy Card Services, their PassMark™ implementation “combines the best of multi-tiered, real-time, risk-based authentication tools with fraud detecting artificial intelligence for stronger, improved layers of online security—without compromising ease or convenience.”
This method of authentication has two notable advantages: 1) certificates do not need to be installed on the users systems so the expense related to certificate management are eliminated, and 2) the expense of equipment, tokens, training, and management are much lower than token-based one-time password solutions such as SecureID.­

Digital Certificates

Digital certificates are mentioned peripherally in several places in FIL-103-2005. Digital certificates are commonly used in single-factor authentication methods used today. Digital certificates do two things: 1) They authenticate that their holders are who they say they are and 2) they are used to encrypt and decrypt data. Digital certificates can also be used in two-factor authentication methods on USB tokens, as part of a mutual authentication method, or as the second factor if the certificate is required to be previously installed on the computer that the customer will be using.
Installed Digital Certificate: This method of authentication requires the installation of a digital certificate on the computer that is used for online banking. The User ID and password combined with the certificate is used to authenticate to the online banking system and encrypt the data through the online banking session. Without the digital certificate, it is impossible to authenticate to the online banking system. Once the certificate is installed, it is largely transparent to the customer unless the certificate expires. This requires the installation of a new certificate by the user.
Although the installation of digital certificates is easy for computer-savvy customers, it can be stressful for those that are new to the process. In addition, the management and distribution of digital certificates must be carefully managed by the online banking service provider.
One significant disadvantage of this system is that it does not work well for travelers. If the customer needs to access online banking from a system other than the one that has the digital certificate, the customer would have to install the certificate on the computer they are going to use.

Conclusion

For those banks that rely on an outsourced service provider for online banking, there may not be a choice other than to accept what is offered. However, banks that have implemented online banking in-house or are changing online banking service providers, authentication will be major consideration that will affect the customer’s online banking experience.

How Assurity River Group
can help

Assurity River Group offers specific services to help you. We can:

  • Explain the technical details of the various authentication methods
  • Assess the risk presented by the various implementations that are being offered or considered
  • Conduct security awareness training programs for your employees.

Assurity River Group’s consultants can assist your organization in being proactive in your defense against internal and external threats.
Contact Jeff Olejnik (jolejnik@assurityriver.com) at 651.259.6888 for more information.