Wachovia Corp. is evaluating several authentication technologies that would increase security when customers log in to its online banking Web site.
One is a token that creates a string of characters every minute that customers would need to enter when logging in. A handful of financial services companies use tokens, but Wachovia would be one of the first major banking companies to offer them to retail customers.
The Charlotte company said Thursday that it is also speaking to several vendors about other authentication technologies, including one similar to the application that Bank of America Corp. is rolling out in several markets.
In May, B of A said it was using software from PassMark Security Inc. in which customers choose an image and phrase to be displayed whenever they log in to verify that they are at an authentic bank site instead of an imposter site. The technology, which B of A is introducing under the name SiteKey, also keeps track of the computers that customers typically use to access the bank's Web site; if they try to log in from an unknown computer, the software will ask them questions to verify their identity.
Julie Huffman, Wachovia's director of implementations and transition management for e-commerce, would not say whether her company was working with PassMark or another vendor with a similar product. She did say that Wachovia plans to complete its evaluation of the SiteKey-like product this year, and to test tokens by the first quarter.
Ms. Huffman also said it might use several different security systems, though there are no definite plans in place and no schedule for a final decision. "I don't think we believe that there is necessarily just one solution that would work across all our customer segments."
Passcode-generating tokens have long been used in the corporate world; Wachovia already uses tokens for its corporate cash management customers. Critics have said the tokens are less useful in retail banking, because customers may be likely to lose them. However, the idea has gained some traction in recent months, as fears of online fraud have become more pressing.
E-Trade Financial Corp. of New York has issued passcode-generating tokens since March to its most valuable customers for free, and since June to its other customers for $25. Two Internet banking companies - Stonebridge Financial Corp. of West Chester, Pa., and American Bank Inc. of Allentown, Pa. - are also offering tokens.
Tokens are considered two-factor authentication, because they require the customer to have an object in their possession to log in.
PassMark's technology, which requires people to use a known computer (or answer questions) does the same thing. It is also considered a two-way authentication system, because it proves to the user that the bank site is legitimate.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said Wachovia might use both approaches. "I could conceivably see them doing what B of A is doing" by using something like SiteKey, "and then going a step beyond that and issuing tokens to their most valuable customers."
However, she also said that changing a bank's log in procedure is inconvenient for customers, and that Wachovia has already done so this year. In April it redesigned its Web site to eliminate one of the two log-in procedures that had been in place, a holdover from First Union Corp.'s purchase of the old Wachovia.
"If you keep changing the login procedure, you're really pushing it with consumers," she said.
