Bank of America Corp. is about to phase in a new verification system for its banking Web site.
PassMark Security Inc.'s image-based system will be rolled out under the name SiteKey, initially to B of A customers in Tennessee in June and nationwide by yearend.
Gayle Wellborn, B of A's online products and servicing executive, said the feature will be optional at first but eventually become mandatory for all of the Charlotte company's 13.2 million online banking customers.
"This is going to become a standard part of the log-in process," she said in an interview Thursday.
Customers will enroll by picking an image they will remember, writing a brief phrase, and selecting three challenge questions.
In subsequent visits to B of A's e-banking site they will enter their user name and then be presented with the image and the message they had selected to confirm the Web site's legitimacy and that it is not a counterfeit site trying to get people to reveal details that could be used in identity theft. If they recognize the image and message, customers will then enter their password to gain access to the site.
The SiteKey system is also designed to recognize the computer from which the user is accessing the site. Once customers have authenticated themselves with their user name and password, the system will determine whether they are using a known machine. Someone borrowing a computer or logging in from work instead of from home would have to answer the challenge questions.
"This is so the customers know it's our Web site, and so we know it's them," Ms. Wellborn said.
Bill Harris, a co-founder of PassMark and its chairman, described SiteKey's image/message feature as "two-way authentication" - it proves that both the Web site and the user are legitimate.
Checking the users' computer systems is another form of two-factor authentication, Mr. Harris said. "The first factor of authentication is something I know, like a password. The second factor is something I have" that can be used to verify identity.
The two-factor approach is not new. Some banks offer customers tokens that constantly generate random passwords; it is impossible to log in to a site without the token.
Critics including Mr. Harris say such tokens are effective but inconvenient.
PassMark's only other an-nounced banking customer is Stanford Federal Credit Union of Palo Alto, Calif., but Mr. Harris said several other major banks are evaluating his technology.
Avivah Litan, a vice president and research director at Gartner Inc. in Stamford, Conn., said she has been recommending the PassMark concept to banks since last year.
"This is a very practical method for implementing mutual, two-way, two-factor authentication," she said.
