More banking companies are considering stronger security measures for authenticating online banking customers, but the features touted as improvements for individuals may also become a new hurdle for account aggregators.
At issue are the recent-vintage log-in systems that require users to provide an authentication factor in addition to user names and passwords. Adding such steps to log-in procedures has forced aggregators to rethink - and in the case of Yodlee Inc., revamp - their systems, which are designed to handle single-factor authentication.
Only a handful of banking companies have installed any type of stronger customer authentication software, and until the software becomes more common, some observers say, aggregators could enable people to bypass the more stringent security of one bank's Web site by accessing it through another bank's site that uses only the standard username and password authentication.
However, analysts and technology executives say that it is in the bankers' interest to allow this type of backdoor entry, because the customers most likely to use aggregation are among their most valuable.
"Account aggregation is still an emerging segment, but those customers who do aggregation are sort of the leading-edge customers and very important to the banks," said Steve Klebe, the vice president of sales and business development at the Redwood City, Calif., software vendor PassMark Security Inc. "The stronger authentication that we're offering to the banks needs to work together with this aggregation."
Until recently PassMark was a little-known company with one customer, Stanford Federal Credit Union. But last month Bank of America Corp. said it would implement PassMark's technology this month.
Though the technology, which B of A will offer its customers under the name SiteKey, will be optional at first, the Charlotte banking company eventually plans to make it a mandatory part of its log-in procedure for all of its 13.2 million online banking customers.
Under the PassMark system, entering a password is not enough; users must also be using a specific computer that has been enrolled with the bank. If an aggregator's computers were not on the bank's list, the aggregator would not be able to log into the bank's network.
To get around this barrier, Yodlee Inc., a Redwood City, Calif., account aggregator that works with many large banking companies, is expected to announce today that it has struck a deal that would gives its computers a way to bypass the PassMark system.
The agreement will let Yodlee's servers, which pull account information from various bank systems, to be "pre-authorized to access information on all PassMark-enabled accounts," said Schwark Satyavolu, the aggregator's chief technology officer.
"What Yodlee and PassMark have built together is essentially a compatibility strategy," he said.
Essentially, the agreement gives Yodlee a skeleton key - Yodlee servers are authorized to access PassMark-protected accounts. (Yodlee would still need the customer's user name and password.)
Customers who log into one bank's site using a standard username and password can view details about their accounts at a PassMark-enabled bank now without using the PassMark security features.
By yearend they will also be able to initiate transactions by clicking a link to a PassMark-protected site, but to do that they would have to be at a PassMark-registered computer, Mr. Satyavolu said.
This setup would seem to mitigate some of the security features B of A is trying to install. "I have not spoken specifically to B of A about that issue," Mr. Klebe said .
Spokespeople for B of A, one of Yodlee's investors, would not discuss the agreement.
A few other banking companies have announced plans to increase their online security with tokens that generate random strings of characters every 60 seconds that must be used to log into a Web site. Because the passcode changes, a criminal that obtains someone's account information would not be able to gain access to the account without the token itself.
E-Trade Financial Corp. of New York has said it is issuing tokens to its most valuable customers on request. Another Internet banking company, Stonebridge Financial Corp. of West Chester, Pa., has said it plans to eventually make the technology mandatory.
But an ever-changing passcode would probably be a problem for an aggregator's systems that store people's log-in details. Mr. Satyavolu said Yodlee is working on similar compatibility arrangements with other security vendors, including some passcode token vendors.
RSA Security Inc. of Bedford, Mass., provides passcode-generating tokens to E-Trade and other Internet banking companies. Burt Kaliski, the chief scientist of the RSA Laboratories division, said he was unaware of any talks between RSA and any aggregators to create a compatibility arrangement similar to the one between Yodlee and PassMark.
His company's system compares the number its tokens generate with one generated by a computer at the bank - both the tokens and the computer produce the same sequence of digits.
RSA is planning to introduce a service that would link the tokens to a server RSA hosts, rather than one a bank owns. This could let several banks synchronize their log-in systems to RSA's computers. It could also let a customer access one bank site using RSA's token system, and then use an aggregation service to access another RSA-secured site.
"That successful authentication produces an authentication assertion" that is passed along to the other bank, Mr. Kaliski said.
Dan Schatt, a senior analyst for the Boston market research firm Celent Communications LLC, said that stronger authentication measures such as PassMark's system or tokens are "a legitimate concern out there for anyone who's pulling data from Web sites."
However, banks are willing to facilitate such services, he said, because the customers who use aggregation are the most valuable customers, who have lots of money spread out among many banks.
As a result, aggregators will be able to reach some type of compatibility arrangement with banks and security vendors to protect their access to customer banking information, Mr. Schatt predicted. "Most financial institutions want to make it as easy as possible for their customers to view their data."
