The wait-and-see attitude that many institutions had taken with regard to two-factor authentication for online banking-primarily out of concerns about expense and customer convenience-got a dose of reality last month when the Federal Financial Institutions Examination Council issued guidance requiring multi-factor authentication for on-line banking customers by the end of 2006.
And though the list of FFIEC-approved solutions is wide ranging-biometrics, smart cards, software, scratch-off cards, cookies and challenge questions-institutions must now map their strategies and make purchasing decisions on a hurry-up timetable. Early industry chatter seems to give behavior and IP-based solutions an initial mass-market edge, thanks to their relative transparency.
"Banks are smart. They don't want to bother the customer unless they have to," says Gartner analyst Avivah Litan. "Like the credit card industry-they do everything in the background-that's where I think banks are going to evolve to."
Some of the players in the "invisible" two-factor space include Business Signatures, Corillian, Digital Resolve, Cyota and The 41st Parameter. Many of these products use real-time analysis of consumers' Web-browsing behavior, or authentication of the user's unique on-line signature, a concept that includes IP address, system configuration, geolocation, and other factors. These products are fairly cheap-Cyota says it's less than $1 per customer per year while 41st Parameter says the annual cost is equal to $1 times the average number of daily log-ons-and don't involve the distribution and support issues other devices do.
But some of these invisible two-factor products have already been cracked, and it's unlikely that criminals in enterprises who make a living via online fraud will give up and go home when new software is installed.
Banks' decisions will also be based on customer value and transaction risk. "The guy with a $1 million bank account should have a hardware token because it really is the best security available today," says Kerry Loftus, director of VeriSign Unified Authentication. Litan predicts this segment, with estimated costs between $10 and $25 per customer, will capture about 10 percent of the market.
Another approach with significant buzz is the phone, either with an automated call as part of a challenge to suspicious behavior, or embedding one-time passwords in cell phones, an approach VeriSign is pursuing. After all, how many people over the age of 12 don't carry a cellphone?
The Independent Community Bankers of America criticized the FFIEC requirement as overly onerous, but industry-watchers say there may be more regulation to come.
"The larger losses tend to be due to people taking out new credit. Authentication doesn't really address that," says Ted Crooks, vp of global fraud solutions at Fair Isaac. "I have a suspicion that both bank regulators and Congress are going to have something to say about the initial verification of identity."
