Two-Factor Authentication for Online Services Takes Center Stage with 2006 Deadline

COLUMBIA, S.C. – Phishing and pharming and other hacks had been dominating the chat at the IT cyber water cooler this year until Oct. 12 rolled around. That day, the Federal Financial Institutions Examination Council (FFIEC) issued its new guidelines on online authentication. While the guidance focused on risk management as a whole and didn’t dictate any particular path, amid the ambiguous takeaway the bottom line for most seems to be this: Passwords are insufficient as the sole means of security and the FFIEC has given the nation’s provider of online financial services until the end of 2006 to do something about it. That kicked off a scramble among Internet banking vendors and security specialists alike to offer authentication at both sides of the transaction – end user and financial institution. It also has finalized the change for many of the definition of one of the original terms in Internet banking itself – two-factor authentication. Two-factor authentication had often been understood as PIN and password, but that’s changing fast. Most, including the FFIEC, now take it to mean the PIN/password and some other form of authentication, including verifying the computer itself that’s being used to originate the transaction. Throw in the possibility of tokens and the growing adoption of neural networks and other back-shop software used to learn the behavior of the end user to know when to trigger challenge questions, for instance, and the whole process can begin to seem, well, downright intrusive. And that’s a problem. “If an institution implements a difficult-to-use solution, I could foresee consumers moving accounts to alternatives that are easier,” says Kelly Dowell, director of the Credit Union Information Security Professionals Association. He adds, however, that “some of the new technologies are able to solve the problem without the member having to have a device, using on-screen solutions that are password-code schemes or images, along with back-end, two-way verification. Personally, I think this is where the market needs to go and will go.” Steve Harkins would agree. “We don’t yet know exactly what we’re going to do, but I will say this, they’ve got to find something that is not so onerous for the member and not so cost prohibitive for the institution,” says the president of S.C. Telco FCU in Greenville, S.C. “We’re working with our provider on this and are expecting a multi-factor authentication solution from them,” he says. “We can get into all kinds of things, but it could potentially really increase our costs and eventually make the consumer push back and say you’ve gone too far,” says Harkins, whose $112 million credit union (www.sctelcofcu.org) uses FundsXPress for online banking services. Such pleas are being heard, according to online banking providers such as Online Resources, Digital Insight and others who have been partnering with specialists to provide the added protection in ways members would adopt willingly. The specialists, too, have been popping up and weighing in, too, with perhaps the three most oft-heard names in credit union land being TriCipher, PassMark and Cyota. Each takes similar approaches to authentication but with individual twists. For instance, Cyota’s eSphinx platform uses the challenge-response approach and an optional eStamp in which users get a shared bit of information, an image or text, displayed each time so the end user knows this is, indeed, his or her financial institution’s Web site. “We’ve adopted eSphinx and will be piloting it soon and rolling out through the rest of the year,” says Stephanie Chaufournier, senior vice president/general manager of the Internet banking group at Online Resources Corp. in Chantilly, Va. “We talked to 10 or 15 different vendors and felt Cyota had the subset of functionalities we were looking to integrate into our online banking and bill pay services,” Chaufournier says. She says the FFIEC guidance spurred “a number of inquiries from our clients, and a lot of confusion about what it really requires credit unions to do, and we’re delighted there’s a focus on this.” Digital Insight, meanwhile, has partnered with TriCipher Inc. of San Mateo, Calif., which offers “three levels of authentication, each stronger than the next, that will allow our credit unions and their end users to escalate the level of protection without having to change the technology on their PCs,” says Scott Mackelprang, vice president of security and compliance at DI in Calabasas, Calif. He also says DI is working on a variety of other solutions – including cookie-based, biometrics and tokens – to accommodate the varied needs of its big client base. And, Mackelprang says, credit unions will need to recognize that end users are going to have to at least participate in the process to help ensure their own protection. “Even the least-intrusive methods of authentication won’t be invisible,” he says. “We’re hoping it will be painless, or at least not painful. Getting Ahead of the Curve Technology Credit Union (www.techcu.com), true to its name, is one CU that says it’s been getting out ahead of the curve, becoming one of the first credits to go live with PassMark’s two-factor, two-way authentication in November. The $1.1 billion CU in San Jose, Calif., is an in-house user of MemberBridge (now Corillian) online banking software and “started working on this this past summer, because we kind of felt we would be ahead of the curve,” says Kathy Litman, Tech CU’s vice president of marketing. Victor Smilgys, the CU’s assistant vice president/e-commerce, adds, “The FFIEC guidance is part of it, but we’re also trying to be proactive, since the hackers are always getting more advanced, too.” The first step in the rollout was requiring all users to convert from the old four-digit password and member ID to alphanumeric user names and passwords. Challenge questions and authentication images also are included, and the CU is considering adding some of the other protections from Menlo Park, Calif.-based PassMark, including tokens for the more security-sensitive of its big user base of technology and government workers. Tech CU is one of the first two credit unions to adopt PassMark’s authentication technology, joining its Silicon Valley neighbor, Stanford FCU, the first financial institution to offer online transactions. Meanwhile, another big California CU, $3.1 billion Wescom, is keeping its own company. The Pasadena-based CU (www.wescomcu.com) uses an online banking platform developed in-house with its tech CUSO, Wescom Resources Group (WRG), that requires variations in PINs and can force a password pane from time to time. “In addition, we recently developed a new enhancement we call Mutual Authentication that allows members to uniquely identify the Wescom eBranch site by adding a unique pass phrase known only to the member,” says Kevin Sarber, president of WRG. “If phishers attempt to spoof our site, they’ll have no way of knowing the member’s unique pass phrase.” That said, Wescom also intends to implement two-factor authentication in 2006, Sarber says. That will involve collecting security questions and answers from members and requiring their use when the credit union detects something like a different browser, operating system or IP address being used during the login try. While back-shop computers assess risk, management needs to, too. That’s also a big takeaway from the FFIEC guidance, stresses David Meunier, chief information security officer at CUNA Mutual Group in Madison, Wis. “There’s been a lot of debate in the professional ranks of IT security on whether two-factor authentication really will solve all this,” he says. “It’s kind of like the encryption hype, when everyone was saying, `Let’s go out and encrypt everything.’ It’s part of the solution, but not the whole solution.” -