In the interest of serving a particularly security-savvy membership, particularly those engaging in notably alert-triggering activities, Addison Avenue Federal Credit Union is now the first credit union to offer a new two-factor authentication system from VeriSign.
About 600 of the Silicon Valley credit union's 150,000 members now use the one-time password (OTP) generating application, including a version specifically for smart phones and other mobile devices.
The service is called VIP Authentication and is a new layer to the $2.4 billion credit union's 2006 deployment of the company's VeriSign Identity Protection Fraud Detection Services-which already added risk-based authentication and antifraud network prevention protections to standard user ID and password access.
"It's been a slow adoption so far, kind of a silent release and we're not being aggressive with it right now," said Blanco Guerrero, senior vice president and chief information officer at Addison Avenue in Palo Alto, Calif.
"We're trying to target members who do high-risk transactions or travel outside the United States a lot. That means frequent wire transfers and ACH transactions, especially online ACH," Guerrero said.
Those targeted members can choose to receive their one-time passwords by text, via hardware token or by phone call.
The hardware token seems to be working out as the most effective for out-of-country travelers who might not have access to phone calls and texts, said Srividya Balaji, Addison Avenue's design and development manager.
The token can be carried on a keychain or embedded into a credit card and generates a one-time password that is then verified through VeriSign's authentication service, Balaji said.
"The device itself uses an algorithm to create the password that is then entered into our system. We then make the call out to VeriSign's authentication service and then authenticate the member," Balaji said. "It's all HTTPS secure and the passcode is only good for 30 seconds."
The system also is connected to the PayPal OTP system, allowing secured mobile access to that company's popular person-to-person payments. That and the fact that so much of the system is hosted helped drive the decision to deploy, Guerrero said.
"We want to move to an in-the-cloud solution because we didn't want any additional IT overhead," she said. "And while VIP authentication met this requirement, what made it even more attractive was access to the VIP network, allowing members that already have PayPal OTP-generating tokens to use them to access their Addison Avenue accounts."
Members are not yet being charged for the service and the credit union is now exploring ways to do that while expanding it to more of its membership.
"We'll base it on relationship pricing or the level of risk," Guerrero said. "We see very little risk with members with only a basic checking account compared with those who move money to other institutions or from overseas, but we want them to have the best experience possible, too."
There are now more than 200 institutions using the service, said Kerry Loftus, vice president of user authentication at VeriSign in Mountain View, Calif.
"We see of a lot of smaller banks using the two-factor authentication, primarily because they have smaller user bases and they feel comfortable with the technology and the service," she said.
Credit unions fit that mold, Loftus said, "because they typically have that relationship with end users, too. They know them personally and the kind of transactions they do tend to be more much more personal than with the big banks."
There have no loss of funds since the VeriSign layered protections were launched, Guerrero said, and the VIP Authentication password protection has only added to that confidence.
"Nothing out there is 100% secure, but from my perspective I think the VIP token is the hardest one to break right now," she said.