Trouble In Authentication Land
While the pressure mounts to meet the FFIEC deadline, we see significant movement by the major banks. Bank of America, after a several month delay, has rolled out a security solution which is now mandatory for BofA online banking customers. A major security vendor now offers hardware tokens combined with tokenless "risk-based" authentication - good match.
The bigger banks have been working on multi-factor authentication for years and are well poised to take on the challenge. My concern is for the community banks and credit unions. They are already having a hard time competing with online banking and bill pay.
Iâ€™m still not convinced that the solutions in front of us are going to secure online authentication in the years to come. Two â€“factor and multi â€“factor authentication will up the level of difficulty for the hacksters. But, I suspect that by the time banks deploy tokens, card readers, retinal scanners, and thumb print devices, the thieves will have done their homework as well.
What is wrong with multi â€“factor authentication? The problem with customer supplied authentication information is that it is supplied by the customer. Someone posing as you may have your social security number, your motherâ€™s maiden name, and know the name of your first pet, first born, and favorite food.
If I have your laptop, your fob, your wallet and anything else that was in your briefcase, youâ€™re out of luck. If I rifle the thumb print database, Iâ€™ve got your one and only thumb print for life.
Anything that can be contained in a database can be taken from a database. Anything in your house, car, office, hotel room, and at Starbucks can be stolen. We need to come up with something that canâ€™t be stolen. The difference between two â€“factor and multi â€“factor authentication is just the number of things I need from you.
Enter â€œrisk-basedâ€ authentication. The risk analysis engine is going to observe your banking behavior, analyze it, and flag anomalies. This is similar to how intrusion detection systems work. If there appears to be something very unusual about the online banking location of the transaction, or the number of transactions, or the value of the transactions, the transaction is flagged.
While banks are moving towards compliance with two-factor user authentication, website authentication is still a problem to be solved. With user authentication, the user is authenticated to the bank. But what about authenticating the banking website to the user? How does the user know he or she has arrived at the right website rather than a phishing site?
The authentication vendor you choose must be able to demonstrate not only a strong method of user authentication, a method of online risk management, but also a method of website authentication. Electronic signatures are one method that addresses website authentication.
For smaller banks trying to keep their heads above the waters of new requirements, there are several vendors who can address part of the problem. Some vendors offer multi-factor authentication and website authentication. In one case I found a vendor who offers â€œvirtualâ€ tokens. The solution does not depend primarily on customer supplied information and there are no hardware tokens to distribute. The website authentication method offered the highest possible encryption, a â€œ256-bit secure hash.â€
Another major vendor addresses the problem of relying on customer supplied information and meets the requirements for strong authentication. The way it works is when a user signs up to use the product they are given a random set of faces to substitute for or accompany their password. They are taken through a â€œfamiliarization processâ€ that helps them remember the pictures of faces. A user may be given 3 to 7 faces to memorize depending upon the level of difficulty desired. When a user logs into a protected system, he or she must pick the chosen faces from a set of pictures complete with decoys.
There are many solutions on the market today. The important thing to remember is that two â€“factor authentication compliance is on the horizon. Steer clear from solutions that rely wholly on customer supplied information. Plan to implement website authentication as the next step. While strong user authentication is the immediate requirement, the proper order is website authentication first (make sure your customer comes to your website, not a phisherâ€™s), and secondly, multi-factor authentication that does not rely wholly on customer supplied information. Things are a bit backwards at present, but in time we will catch up with ourselves.