Debate Over Future Of Hand-Held Security Tokens
Members want more account security, but they don't want to carry around more key-fobs to get it.
That sentiment is shared by a number of credit unions questioning the feverish interest in handheld security tokens that users plug into their computers to enable super-secure access to online accounts.
"I'm not sure how practical the tokens are," said Chad Beert, senior network engineer for $4.5-billion Alliant CU.
Yet online trading and investing giant E-Trade is giving its most profitable customers the RSA Security SecurID authentication key-fob to verify identity. And many Bank of America corporate customers will be using VeriSign tokens for two-factor authenticated log-in.
Two-factor authentication often requires something the user has-a token or a smart card-with something the user knows-a personal PIN. The user logs on using a combination of the PIN (the first factor) and a one-time password (the second factor), which is randomly generated by the token.
As online fraud grows, authenticator devices are making headlines as an alternative to weaker, one-factor authentication measures, such as static passwords.
"The tokens might be the only secure way to log-in, but are members going to carry around 20 of these, one for each bank account they have?" Beert asked.
"I don't think that's the direction consumers want to go," agreed Kevin Doyle, Information Security Officer at Pennsylvania State Employees CU in Harrisburg.
"I can just see how much technical support our members would need," Beert added.
Indeed, IT managers would be responsible for issuing and replacing lost fobs, revocation and training.
"And how will the tokens get priced out?" Beert continued. "The price is still pretty hefty -will that cost get passed back to the member?"
Although token-based authentication raises a lot of questions for member verification, Beert said the hardware is the best way to verify Alliant CU's remote employees.
For the past year, 100 remote employees have been accessing Alliant's Virtual Private Network using RSA's SecurID token.
RSA Security of Bedford, Mass. provides solutions for identity protection and information access.
"SecurID is a 100% secure model for employee access," he said. Beert can track user log-in to the network in real time, allow the user to work only within the Citrix Access Platform and prevent printing.
"Because the token generates its own random passwords, we have eliminated all of our needs for security password policies, and we don't have to worry about password expirations," Beert explained.
The $675-million University FCU of Austin, Texas also uses SecurID to authenticate its VPN users.
SecurID is an "easy-sell" to auditors, who are looking to make sure that off-site data transfer is encrypted, said Beert.
Alliant is considering extending a Microsoft Windows-based version of the SecurID solution to the CU's desktops and laptops, he said.
SecurID is integrated with Alliant's installation of WholeSecurity's Confidence Online, which scans for crimeware each time a user launches an application and before the user logs-in remotely, Beert said.
WholeSecurity of Austin, Texas provides security solutions that protect end-user PCs.
For more info on this story:
* Alliant CU at www.alliantcu.org
* RSA Security at www.rsasecurity.com.