At a growing number of banks, once is not enough for customers to prove who they are during an online banking session.
Demand is rising for software that makes them do so again for one reason or another, vendors of such software say.
Jon B. Fisher of Bharosa Inc. in Santa Clara, Calif., and Steve Klebe of PassMark Security Inc. in Redwood City, Calif., said recent Federal Financial Institutions Examination Council have spurred interest in their products. The guidelines, issued in October, advised banks to use stronger authentication for high-risk online transactions.
“Financial institutions … are looking to stop the bleeding,” Mr. Fisher said.
Much of Bharosa’s software can be used to reconfirm the customer’s identity after login. PassMark’s flagship product got a reconfirmation feature last year.
Mr. Fisher, Bharosa’s chief executive and a co-founder, said last week that 2.4 million people were using its software at midyear and about 10 million in mid-December, and that about 20 million will be doing so by April.
Mr. Klebe said PassMark has 12 million to 15 million users now and expects to have 20 million by the end of this quarter.
For Bharosa, the current growth spurt reflects an agreement with a top-10 U.S. bank. The Bharosa software it is using can do post-login reconfirmation, Mr. Fisher said, but he would not say how the bank will use it.
It is not using Bharosa’s newest products, QuizPad and CheckPad, he said. QuizPad asks challenge questions at various points, such as when the user wants to view an account statement. CheckPad asks for a PIN when the user wants to view an image of a canceled check. (Check images include information that is not normally available in an online banking session, and criminals have used it to forge checks.)
Some Bharosa software features an onscreen keypad so users can send a PIN or password by clicking on characters instead of typing them. The feature is meant to protects against keylogger viruses — programs that record everything a victim types and transmit it to a criminal.
PassMark’s flagship product puts a file on the end user’s computer and confirms the user’s identity by finding that file. It also displays a user-selected image to prove the bank site is not phony.
“A lot of people perceived us as ‘the picture people’ originally,” Mr. Klebe said. “We had to spend a lot of time educating people that this is like an iceberg, and all that [the image tool] is is the tippy-top of the iceberg, and there’s a whole bunch of stuff going on underneath.”
The upgrade goes beyond looking for the identifying file on the consumer’s machine at login, Mr. Klebe said. “We’ve added a full set of forensic-analysis machine-recognition” tools that look at hardware properties, Internet service provider, and Internet address.
The enhanced version can prompt banks to authenticate people when they change their addresses or passwords, for example, or when they try to transfer money from an account. The software can use challenge questions and can prompt the bank to notify the customer, by phone or e-mail, about a transaction.
Bank of America Corp. is rolling out PassMark software, including the upgrade, to all of its more than 13 million online banking customers. B of A, which calls the feature SiteKey, says it is now available throughout its market except two western states, Washington and Idaho. A spokeswoman for the Charlotte banking company would not say how it is using the multiple-authentication capabilities.
Cyota Inc. of New York also sells software designed for mid-session use. Its eSphinx software, a risk-based authentication system introduced last April, prompts banks to call the customer immediately if an unusual request is made during an online session. RSA Security Inc. bought Cyota last month.
Avivah Litan of the Gartner Inc. market research company said banks still focus on authentication at login but realize that in the future they will probably do so when additional risks arise during an online banking session.
“For example, viewing a check image with sensitive data on it is more sensitive than just logging in and looking at your balance,” said Ms. Litan, a vice president and research director at the Stamford, Conn., company.
