The recent cell-phone bandit not withstanding, there may soon be one more reason customers won't leave home without 'em: strong out-of-band authentication for Web banking.
As banks scramble to create a timetable for risk assessment and two-factor authentication for online banking, there's no shortage of solutions on the market. But most institutions are worried that to secure the riskiest online transactions they'll have to pony up the anticipated $40, $50 or more per user to provide one-time password (OTP) tokens. And while no one is saying that meeting the standards under the guidance will be cheap, competition and technology have advanced so it won't mean handing out $50 tokens to every customer.
Analysts say cell phones may offer one of the least-expensive ways to offer strong authentication. "The cell phone seems to be one of the more fruitful areas to pursue when it comes to out-of-band authentication," says Jonathan Penn, an analyst at Forrester Research.
At least four companies offer cell-phone authentication for online banking in the U.S. market.
It's not surprising that RSA Security, the company that has put 20 million OTP tokens in the hands of corporate users, wants in on the market for further securing online banking. RSA Security tested the financial services waters when it partnered to give tokens to power E*Trade users, but its new market strategy includes a cheaper way to offer OTPs to banks that need to secure their entire customer base.
RSA has created an OTP application that can reside on about 70 percent of the cell phones in use in the U.S. today, and on most PDAs. When launched, the application produces an OTP that can then be input into the online banking application for out-of-band second-factor authentication, but doesn't involve any phone calls. RSA is testing the service, part of a larger consumer-oriented platform launched this fall, with a handful of FIs. And what about the price? Chris Young, vp of consumer authentication at RSA, says the new delivery form will allow the company to be "very aggressive about how we price."
Helsinki-based Meridea, partially owned by Nokia and Accenture, recently added two-factor authentication to the mobile self-service products it offers financial institutions. Meridea's approach is similar to RSAs in that it sends an application over the air that then resides on the customer's mobile phone. Meridea's OTP authenticates the bank Web site to the user, and has a mechanism that should stop man-in-the-middle attacks.
Here's how it works: If a customer is attempting to complete a high-risk transaction online, the banking application may present a request for further authentication, along with a code. The user then enters this code into the application on the cell phone and is given details of the transaction underway, i.e., do you want to transfer $5,000 to an account ending in 123. Next, the customer enters a PIN code into the phone and is given a response code. The response code is entered back into the online banking Web site to authorize the transaction.
"This is designed so it's very flexible; banks can use it just for risky transactions or certain people," says Shane McDermott, vp of marketing for Meridea. "It's more of a surgical approach as opposed to sledgehammer approach."
StrikeForce Technologies offers an identity-management platform that includes 10 different out-of-band authentication products. StrikeForce's cell phone application separates the user name from the password and routes them along different bands. Say a user wants to log in to a Web banking site. She would enter her user name on the site, and two or three seconds later her cell phone would ring asking to further authenticate a transaction or just the login. She would enter her PIN into the cell, and, if all goes well, the online transaction would be approved. This approach also lets users decline transactions. StrikeForce also sells voice biometric authentication, says evp George Waller.
Dallas-based Entrust offers a cell-phone-based authentication service among its platform of products that provides a one-time password via cell phone to online banking customers who initiate transactions on the Web. Entrust has partnered with Authentify, which handles the actual dialing of the calls.
One challenge with cell-phone products is that they require consumers be in areas that have cell phone service, a situation that can still be spotty with some carriers in the U.S. But the pricing is considerably lower than providing hardware tokens; Entrust puts pricing for its ProtectID platform at $3 per year per user, based on a minimum of 100,000 consumer users.
