Analyst Sees CUs Getting More Serious About Two-Factor Authentication

Call it two-factor validation for two-factor authentication.

The combination of federal financial regulators issuing guidance about the need for two-factor authentication and Bank of America's decision to move forward with mandatory two-factor authentication for all of its customers is something of a one-two punch slugging the idea home that credit unions must get serious about exploring their two-factor authentication options out there, according to Steve Klebe of Passmark.

"What it comes down to is that password and user name are not enough," Klebe suggested. "It never was adequate, but it's what we had, so that's what we used. And that was fine when our Internet banking options were more limited, more controlled. Now you can pay anyone, move money from one institution to another, not just from one account to another account at the same institution. The more complex our capabilities, the more protection we need."

And the protection, he said, is well worth the investment. "This is the cheapest delivery channel a financial institution's got, and the primary barrier to entry is security," Klebe suggested. "ROI is usually absent from security, but if you move from paper to e-statements, for example, the heightened security pays for itself."

Two Objections To Two Factor

So, what keeps credit unions from going into two-factor authentication? Part of it is cost. The other part is the perceived "nuisance."

"There's a fear that you're going to lose some of your customers because you're asking them to jump through another hoop," he offered. "But the technology is such that we can keep the user experience extremely palatable. I liken this to when they banned smoking on airplanes. When an individual airline tried to do it, it didn't work, because all its competitors were still allowing smoking. But once the government required the smoking ban, everyone did it, and there wasn't a massive drop-off in passengers. Today, we think nothing of it, we just expect it. That's where two-factor authentication is heading now."

One concern some credit unions have expressed is that some members may be lulled into a false sense of security that they are totally covered if the CU offers two-factor authentication, when, of course, the reality is hackers will continue to figure out new ways to scam consumers.

"Of course, there are no absolutes," Klebe conceded. "But does this raise the bar? You bet it does. This makes it a whole lot more difficult to commit evil."

What The Bad Guys Will Do

Moving forward, the use of two-factor authentication probably will force "bad guys" to revert to more onerous attacks.

Klebe noted that Passmark's security offering actually goes beyond two-factor authentication because it also incorporates a real-time, rules-based decision engine, and the company's solution allows for two-way, two-factor authentication without requiring the consumer to have a token or carry anything extra around.

One of the potential unintended consequences of the recent guidance issued by federal financial regulators on this security issue could be that some small financial institutions that do not feel they have the resources to invest in two-factor authentication will instead seek to limit their vulnerabilities by limiting the capabilities of their home banking offerings.

"The regulators were very clear on this, that the idea isn't to limit the channel but to help grow the channel, but it cannot grow without the proper security," Klebe said. "The answer is not to pull back. This is no different from the physical world. People have to be on their guard. Their financial institutions must have the proper tools in place to protect them."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER