MADISON, Wis. – University of Wisconsin Credit Union isn't waiting for regulators to tell it to bolster that two-factor authentication system members use to log in at www.uwcu.org. The $800 million CU is the first financial institution to go live with the new Intelligent Authentication system from Corillian, a system its developer is confident will pass muster with the guidance from the Federal Financial Institutions Examination Council (FFIEC) that calls for stronger authentication solutions by the end of 2006. The Intelligent Authentication system adds a challenge question to the user name/password routine required by traditional two-factor logins. What makes it more powerful, the company says, is how it decides when to pose those questions. The software examines the access request and decides whether to require the challenge question based on a history of "access signatures" created by collecting and validating such non-personally identifiable information as IP addresses, ISP provider, PC and browser settings, even the time of day and geographic location of the login. Based on that, the challenge question would be posed if say, the user tried to log in from an unrecognized remote location or even changed operating systems on a home computer. It also can be set to challenge every 20 log-ins, for example, to remind the user that the security measure IS in place. "What we recommend is letting the user select five from a list of 20 questions and answer them in ways that make it difficult for someone else to remember but easy for the user," says Jim Maloney, chief security executive at Oregon-based Corillian. "They can be questions such as `What was the model of car you learned to drive in?' And you can provide nonsense answers to a question like that, such as `pizza', which also would be easy to remember and even less likely for someone else to get," Maloney says. Eric Bangerter, director of Internet services at UWCU, says the new system meets the CU's desire to "add another level of authentication to our online banking site without being as obtrusive as the other systems we're aware of out there right now." He says the credit union will be rolling the system out in phases, promoting it to members to show how UWCU is protecting their assets, and giving members the option of skipping on enrolling in the new system for 30 to 60 days, after which it will become mandatory. "We're going to try to spread this out over the next couple months to lighten the load," Bangerter says. As for the internal workload, the Intelligent Authentication solution required the creation of a few new pages that needed to integrate with the credit union's Corillian Voyager online banking solution and the authentication needed to segue with the host processing system, in this case a Fidelity MISER platform. UWCU has an unusually large penetration rate of online bankers – about 65% of its 100,000 members are signed up – and wanted to add another level of security while keeping the system user friendly. Tokens are one consideration. "Right now something physical would be a whole other step we didn't want to take, although we might later decide to partner with someone to do that," Bangerter says, adding that that might take the form of a fee-based option to members who wanted yet an additional security measure. He says UWCU also is working on yet another innovative solution. "We're considering using the cell phone as the token. The online banking site would call the phone, and voice activation or a PIN number would be used to authenticate back to the site," Bangerter says. "There are some companies doing some neat stuff around that, but we're not ready to pick a vendor and commit to someone who has just a few customers and no real track record," he says. "That's why we went with Corillian for Intelligent Authentication, even if you don't have to be one of their customers already to use it. We trust them and know they're going to be around." Maloney at Corillian says UWCU is the first to use the system, while three more financial institutions have committed to it and another five to 10 are expected to sign in the next few weeks. Overall, Corillian has about 70 users of its online banking solutions, including a number of the industry's largest credit unions and banks. UWCU says it also is examining the Corillian Fraud Detection System, which uses Web-log analysis and behavior-based reporting to spot phishing attacks and other fraudulent behavior. Maloney says there are similarities between the two systems, "in terms of having a common heritage based on understanding behavior. The Fraud Detection System tries to understand bad behavior and let you know what direction to go from there, while the Intelligent Authentication solution really characterizes good behavior and uses that for authentication." So what makes Maloney so confident the Intelligent Authentication solution will pass muster with the FFIEC? "We just had a meeting with the FDIC that included one of the authors of the FFIEC guidance. They wanted solutions that were user-friendly and convenient, because there was a concern that consumers might move to a financial institution with lesser checks, for instance, to avoid the inconvenience. "They said we were the first to actually meet with them and ask them if our system met the FFIEC guidance. They said there was no question it did." -

[email protected]