Despite the concerns some are raising about the security of online banking, banks and vendors are continuing to show interest in single sign-on technology, which is meant to make it easier for users to authenticate themselves to multiple Web sites.
Last week the Calabasas, Calif., online banking outsourcer Digital Insight Corp. said it had added a single sign-on feature to its business banking service for connecting banks' small-business customers to third parties.
Bryan Laws, Digital Insight's director of cash management, said the single sign-on system let a small business to log in to their bank's Web site and then access third-party applications without being asked for a second password.
Currently the single sign-on feature works only with a third party's online payroll service, but "you can see the potential of that expanding to a wide variety of applications," Mr. Laws said.
However, Avivah Litan, a vice president and research director at Gartner Inc. in Stamford, Conn., said using a single sign-on to bypass these authentication measures can reduce security. "It's usually convenience versus security, and you're putting convenience ahead of security with single sign-on."
The two goals of convenience and security seem to be diametrically opposed, and experts acknowledge that achieving both can be tricky, but both goals are worthy and can be made to coexist.
Last week the Electronic Authentication Partnership Inc., a consortium of companies and government agencies promoting single sign-on authentication, named Jane Hennessy, a senior vice president at Wells Fargo & Co., as its chairwoman.
"The EAP is entering a critical phase - moving from concept to reality," Ms. Hennessy said in a press release.
The group was organized a year ago to develop standards for single sign-on. Its backers include ABN Amro Services Co. Inc., the American Bankers Association, eBay Inc., National City Corp., Sallie Mae, University Bank of Ann Arbor, Mich., and Wachovia Corp.
Earlier efforts to develop a single sign-on system have languished. Microsoft Corp. pioneered a single sign-on strategy in its Passport software, which was conceived as a centralized password repository that could be used to access different companies' Web sites. However, at the moment the software is used mainly to access other Microsoft products and services.
Another single sign-on consortium, the Liberty Alliance, was formed in 2001, but only a handful of companies are using its authentication tools.
The Liberty Alliance is composed of more than 150 banking and technology companies, including Bank of America Corp., American Express Co., Citigroup Inc., MasterCard International, Visa U.S.A., and Sun Microsystems Inc.
Scott Mackelprang, the vice president of security and compliance at Digital Insight, said its single sign-on software has incorporated multifactor authentication procedures that require people to either use a single computer to log in to their bank's site, or to carry a security token to do so.
Digital Insight is using technology from TriCipher Inc. of San Mateo, Calif., which inserts in the user's browser a file that is needed to access the bank's Web site. The file prevents an unauthorized person from logging in from another computer, even with a password, Digital Insight said.
The file can also be stored on a token that can be carried around to access the bank's site from multiple computers.
Mr. Mackelprang said Digital Insight's security system would be able to accommodate other technologies in the future, such as biometrics. "This is not finished by a long shot."
Ms. Litan said multifactor authentication addresses the concern that single sign-on could let a criminal gain access to multiple Web sites by obtaining a single site's password.
"If you are strongly authenticating, then you can afford to offer more convenience," she said.
The Federal Financial Institutions Examination Council issued guidance in October calling for multifactor authentication in online banking by the end of this year.
Michael Jackson, an associate director of the Federal Deposit Insurance Corp. and the chairman of the FFIEC's subcommittee on information technology, said that regulators are not concerned about the concept of a single sign-on, but that the real challenge is in developing the interoperable systems needed to make it practical.
"You're only as secure as the strength of your security software," he said.
