COLUMBIA, S.C. – As the original user-name-and-password method of logging on relentlessly gives way to two-factor authentication and more, it may take with it one of the most-hyped and under-adopted services of the electronic banking revolution: account aggregation. That's the view of some industry observers and participants, including Forrester Research analyst Martha Bennett, who see security concerns overmatching consumer desire to view all their financial relationships on a single screen and with a single log-on. "Introducing two-factor authentication for access to online banking services would be the death knell of account aggregation services as they are implemented today," Bennett says in a new report titled "Strong Authentication Kills Account Aggregation." "Any service that relies on a static combination of user name and password simply would not work if a second, one-time authentication factor was introduced," she says. And that's just what's happening across the financial services industry. Two-factor methods, such as adding a challenge question or graphical text or image selection, are increasingly being deployed to thwart fraudsters intent on identity theft and other crimes. Even simply requiring passwords to be changed every 90 days puts a big hamper on the password-storing, screen-scraping methods used by many aggregators today. "The big reason this is happening is that Internet banking providers have to provide a mechanism to stop programmatic hacking scripts, and the log-in processes currently in use today are by and large subject to just that," says Robert Broadwell, vice president of PM Systems Corp., a South Carolina-based provider of Internet banking and security software and services to about 250 credit unions. Broadwell has long advocated stronger log-in security measures, including personal external devices such as tokens, and he says his company "has phased out single-factor authentication. We have OCR scripting systems that will effectively stop an automated hacking program, but they also have the effect of stopping aggregators from screen scraping." Meanwhile, one of the technology's pioneers argues that despite the relatively low adoption numbers for traditional aggregation, the concept remains viable and also is essential to one of the most desirable of online service enhancements, electronic bill pay, and other services. And Yodlee Inc. has moved well beyond simply storing passwords and single screen views, says Schwark Satyavolu, the Redwood City, Calif., company's veteran chief technology officer. "It's not the application it started out to be," Satyavolu says. "Richer platforms are being built, especially for bill pay, the hottest application in the market. Check Free, Metavante, they all do account aggregation based on the bills themselves, and theirs is a significant amount of installed base outside of what is traditionally thought of as account aggregation." Yodlee itself has moved beyond single-factor authentication, Satyavolu adds, partnering with PassMark Security to integrate that company's two-factor/two-way authentication to seamlessly operate with all of Yodlee's aggregation services, including bill pay and personal financial management. Some very big players in online banking, including Bank of America, also are using the new PassMark system and Satyavolu says, "We believe this will be a popular approach with consumers and many financial institutions. We are working closely with them to ensure the compatibility of aggregation technology with this and other new strong authentication approaches." The Yodlee CTO says that only about four hours of work "on all sides was needed to make sure the PassMark solution worked with our aggregation system, so you could be up and running in less than a day." Satyavolu also says that Yodlee, whose client list includes about 50 credit unions through channel partners such as CUNA, S1 and FundsXPress, has a "rich, strong direct data network that has long been up and running before these authentication questions ever arose. In fact about half or our data comes through such structured feeds already." That said, the effort and expense of adopting such non-screen scraping platforms may not be worth it to many institutions, Bennett argues. "Given the low level of adoption of account aggregation services . it's unlikely that banks would make the investment required to provide data for aggregation services through a behind-the-scenes data interchange mechanism," the Forrester Research analyst says. Regardless of how the data is obtained, it's the same thing with the credit unions served by PM Systems, Broadwell says. "It hasn't been an issue for us, because the utilization rate has been very low," he says. "We haven't had any demand for it, even from our large credit unions. "We've had contact from aggregators who said they can't scrape our systems, and we told them that's because of our defenses in place against automated scripts," Broadwell says. "If there was any kind of huge demand for aggregation, we would build individual channels for it." That also would take cooperation with the aggregator, which hasn't always been forthcoming, Broadwell says he has found. "We've had at least one who refused to do the due diligence, provide the SAS70 audit results and all the other things credit unions would require, so we couldn't do it," he says. Yodlee's CTO says the effort is worth it to his organization, one of the original creators of aggregation technology. While aggregation in and of itself has perhaps not reached the adoption levels first envisioned when it hit the market, Satyavolu says the numbers are growing and that the people who value it are often those who financial service institutions might prize the most. "Aggregation customers are a small but growing lot, but they typically have a high net worth," the Yodlee executive says. "And because of that, we have a significant amount of interest from financial institutions willing to put in the extra effort to make sure that service is available to them." -

[email protected]