Call it Authentication 2.0. It's been more than a year since Bank of America introduced SafePass, the out-of-band authentication process that sends a one-time password via SMS to online banking customers to secure high-risk transactions.
Recently following suit was PayPal, which announced its use of VeriSign's SMS feature late last year.
But analysts, vendors, and CIOs alike say that many U.S. banks are now taking another look at their online authentication technology, and increasingly adding layers that involve out-of-band techniques and stronger fraud-detection engines. "There's definitely a feeling that more is needed," says Roger Quinton, an Internet security specialist at BearingPoint on assignment at Lloyds TSB in the UK. "It's no good just having user ID, password and device ID, you have to have a whole slew of things."
VeriSign, Entrust and Vasco report a marked increase in banks looking at adding new layers to their authentication front door. Vasco, which is adding its OTP solution to mobile and other devices, says its customers are looking to move away from second-factor authentication that relies on static information "because they're still experiencing fraud," says Adam Dolby, business development manager at Vasco.
Given that online fraud is occurring, there is clearly a practical need to install robust security measures, but there is also a psychological need. Consumers continue to cite security as the main reason they don't bank online, and consumer adoption is holding steady at about 35 percent, according to Javelin Strategy & Research.
"I think [OTP via SMS] answers a very specific fraud problem - account takeover - but it also serves a psychological purpose for some customers," says Michael Oldenberg, spokesman for PayPal.
Strong authentication is also gaining attention on the national agenda. A recent report by the Commission on Cybersecurity for the 44th Presidency recommended to the Obama administration that the government issue digital identities backed by in-person proofing, and that consumer companies be encouraged to embrace this secure identity as a federated ID standard.
Other institutions are backing up their authentication methods with real-time fraud detection, like that provided by Entrust, RSA, Actimize and others. "We see institutions prioritizing fraud detection over new authentication," says Steve Neville of Entrust. "They have to deploy new authentication (as well) but they have to do it in steps."
Entrust customer U.S. Bank is a good example of this, Neville says; the institution initially deployed the company's fraud detection product and is now looking to add out-of-band authentication via SMS to its mix.
Quinton says the trend is the same in the UK. "They put an awful lot of energy into locking the front door, and that's been the strategy for the past two-to-three years....they're starting to realize the front door is one thing, but you really have to have cameras in the apartment so you can see what's happening."