User Names and Passwords No Longer Enough

Online banking is about to change. Due to concerns over online fraud, U.S. financial institutions are being pressured by the Federal Financial Institutions Examination Council (FFIEC) to abandon single-factor authentication methods, such as user names and passwords.

The FFIEC was purposefully vague about this, not suggesting what should fill the user-name-password gap, but whether you pay bills, trade stocks, or simply keep track of account balances online, you will start noticing changes in your login procedures by the end of this year.

The FFIEC, a governmental council charged with supervising financial institutions, has determined that single-factor authentication is “inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.”

What, though, constitutes high risk?

“There is plenty of room for the individual banks to determine their own threat environments,” said Richard De Lotto, a Gartner analyst. “Since technology moves so quickly, the FFIEC cannot reliably advocate a specific technology.”

Financial institutions are mulling over many alternatives, from using multiple passwords, to integrating challenge-response questions to leaning on technological solutions like client certificates, tokens or even biometrics.

“The key is determining what is appropriate and reasonable security,” said Roger Sullivan, vice president of the Liberty Alliance, an industry consortium dedicated to developing standards for identity and authentication.

Sullivan, who is also vice president of identity solutions at Oracle, noted that the type of transaction would determine the means of authentication.

“What I mean is, if I want to query my bank balance, a pin or password is probably enough,” he said. “However, if I want to transfer funds out of my account, this will require more stringent authentication, and if I want to withdraw, say, more than 10% of my funds, I will face even more robust authentication.”

Part of the problem with the user-name-password paradigm, aside from its relative weakness as an authentication method, is that once you are into an account, you are in entirely.

“This isn’t the way a brick-and-mortar bank works,” said Neal Creighton, CEO, GeoTrust, a provider of identity verification solution, “and it makes sense to introduce a tiered authentication system for online users, as well.”

There’s a delicate balance at work here. If financial institutions make security so robust that users have trouble accessing their accounts, they undermine the convenience that makes online banking and trading so attractive in the first place.

Gartner’s De Lotto believes that while there’s a lot of talk about biometrics and tokens, those solutions will be confined to high-value and corporate accounts. Most consumers, on the other hand, will see something much less high-tech.

“The average consumer will probably encounter something like knowledge-based authentication, which still represents an acceptable level of convenience,” De Lotto said.

As consumers move through their online sessions, they will be asked for more personalized information as they initiate new activities. Using shared information is a solution that’s easy to administer, yet hard for criminals to beat.

However, this pose its own problem: Now, it’s not a security vs. convenience issue, but a security vs. privacy one.

“Privacy is certainly a concern,” De Lotto said, “but the information you’ll be asked won’t threaten your privacy. You’ll be asked what color your car is, or what your high school mascot was.”

While this is personal, it’s not considered information the average consumer would be reluctant to reveal.

Unfortunately, while this may make online fraud less likely, it won’t eliminate it. Phishing attacks, for instance, will now probe deeper into your personal information.

“The weakness of user names and passwords is certainly a problem,” said GeoTrust’s Creighton. “But the deeper problem is that people regularly enter personal information onto the wrong sites.”

Research by Gartner found that phishing attacks targeted an estimated 73 million U.S. adults from June 2004 through May 2005, a 28% jump from the prior year. What’s more disturbing is how many people are duped by phishing—despite all the press the problem receives.

Gartner found that approximately 11 million people opened an email link contained in a phishing attack and that an additional 1.8 million went so far as to provide personal information on those fraudulent sites.

“While we certainly need stronger authentication methods, we also need better browsers that flag untrusted sites,” Creighton said.

GeoTrust offers a downloadable browser plug-in that shows information about the validity of websites, but Creighton believes this sort of functionality should be built right into the browser.

“The major browser providers are working on this, so we’re hopeful that browsing behavior will become part of the solution, rather than remaining part of the problem,” he said.

Even so, the pressure today is on authentication. Besides guidance from the FFIEC, regulations like Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) focus on protecting personal information. Translation: Authentication methods need to be strengthened, or you can’t reasonably argue that you’ve taken the necessary steps to protect personal information and you’ll be out of compliance.

Even the USA PATRIOT Act focuses on authentication. Section 326 of requires financial institutions to verify a user’s identity during account origination.

“The government is worried that a normal bank account will be opened and handed off to a third party. That account could then be used for money laundering or to fund terrorist activities,” said De Lotto.

De Lotto argued that what’s happening today will be a general business practice in three-to-five years. The only difference is the financial and health-care sectors must comply with regulations now.