Password-generating tokens, which many financial services companies are considering, may not be the best way to enhance online customer authentication, some industry executives say.
Jonathan Penn, a principal analyst with Forrester Research Inc. of Cambridge, Mass., said last week at a New York conference hosted by the trade magazine publisher Digital ID World LLC that though tokens do add an effective step to a bank’s log-in procedure, they are not going to solve every problem.
Tokens have received widespread attention since the Federal Financial Institutions Examination Council issued guidelines last month urging banks to improve their online security measures, especially for high-risk transactions, by the end of next year.
Mr. Penn said that in practice, many people have interpreted the guidelines as saying that “banks have to basically run to the token store.”
However, online security is “not just about authentication,” he said. “It’s about not relying solely on the password.”
The tokens are small enough to fit on a keychain and display a random string of numbers, which change every minute or so, that customers must use in addition to a password. Because they change so often, a criminal eavesdropping on a customer’s session cannot later use the code to access an account.
However, both banks and customers have expressed reluctance to pay for the gadgets and complain that it can be a hassle to carry them around.
Mr. Penn said there are other ways to strengthen online security. “Maybe some more aggressive [transaction] monitoring will be sufficient” to meet both the letter and the spirit of the guidelines.
He spoke during a panel discussion that also included Michael Barrett, American Express Co.’s vice president for Internet systems, and Steven Goldberg, PricewaterhouseCoopers’ director of information technology.
Mr. Barrett said that one common concern about tokens is that if many companies adopt different token systems, consumers could end up with a “necklace of tokens” to access accounts at various banking, brokerage, and corporate Web sites. If that happens, “there would be a large number of very irritated consumers.”
One way financial services companies could comply with the guidelines is not to display unnecessary details on their sites, such as account numbers and other personal information that could be useful to criminals but that consumers do not need to see during every step of an online session, he said.
Mr. Goldberg said that even if every bank required tokens, consumers probably would not become overburdened with them. Though there are millions of online banking users, most of them are likely “logging on to one bank, so I don’t know how big of a problem it is.”
Still, he said that tokens might be an imperfect way to combat fraud, because it is expensive to send hardware to millions of people. “A software-based solution” would be easier and less costly to distribute.
Some financial services companies are already offering tokens to their consumer customers. For example, E-Trade Financial Corp. of New York uses tokens from RSA Security Inc. of Bedford, Mass.
E-Trade’s chief information officer, Greg Framke, defended his company’s tokens in a phone interview Tuesday. (He did not attend the panel discussion.)
“It is virtually foolproof,” he said. “It is a padlock on your door that cannot be cut with bolt cutters.”
When E-Trade began looking for stronger authentication methods 18 months ago, tokens were the best option, Mr. Framke said. Today they still are, but that may not always be true, he said.
“I would fully expect not to have hardware tokens in a couple of years’ time,” he said. “There are certainly software ways of doing the same things. They’re not quite all there, but the companies are getting there.”
Some companies already offer software that examines and remembers the customer’s hardware, software, and Internet connection, Mr. Framke said. This can be used to identify the same customer later, but the application is not yet reliable enough, because it could mistakenly identify customers as criminals, he said.
For the moment, he said, he thinks tokens are the most accurate way to authenticate people, but if better software emerges, he would be willing to switch — or at least add it as an option.
“Whether it’s hardware or software, I’m always looking to do something that’s more rigorous and more robust,” he said.
