The Industry Reacts to FFIEC Guidance on E-Banking Authentication

The Federal Financial Institutions Examination Council's (FFIEC) October guidance on authentication in electronic banking calls for banks, by the end of 2006, to strengthen their security measures for online transactions and access to sensitive information. But the guidance stops short of recommending any specific solution. Instead, it offers a range of possibilities as to potential security measures, leaving it to the banks to determine which to adopt.

The suggested techniques include shared secrets, USB tokens, smart cards, password-generating tokens, biometrics and out-of-band authentication (see chart, below). While implementations of virtually all of these technologies can be found somewhere in the world, U.S.-based financial institutions have been slow to adopt authentication technologies that require the user to carry a physical device. "Most [authentication solutions] were designed for corporate environments where you can force somebody to do whatever it is you want them to do," says Steve Klebe, vice president of sales and business development, PassMark Security (Menlo Park, Calif.).

Thus, U.S. banks have gravitated toward passive, server-side modes of defense. One approach uses Web development tricks to put a device ID on customers' PCs. With it, the computer itself, rather than a separate device such as a token or smart card, becomes the second factor for authentication. "We validate the presence of the device ID through forensic analysis on the machine and the network," explains Klebe.

Then, factoring in the behavior of the user, the PassMark system calculates a real-time risk score for each log-in that the bank can use to decide whether, for example, to initiate an outgoing phone call for verification.

Given their ubiquity, telephones also can be used for authentication on each and every log-in. Using Short Message Service (SMS) messaging, banks can generate and send one-time passwords valid only for a single banking session. Alternatively, smart cards, USB tokens or dedicated-use tokens also can act as the source for one-time passwords.

From Flash to Chip

Indeed, in the foreseeable future, a password-generating application may reside on a flash-memory card that can be plugged into several interoperable devices, predicts Stu Vaeth, chief security officer, Diversinet (Toronto), a provider of mobile device security solutions. But flash memory, which essentially is just a storage medium containing an encrypted file, may well be superceded by integrated circuit-based smart cards incorporating not only encrypted storage, but also a miniature CPU that can provide stronger defense against hackers.

From a security standpoint, the smart card solution seems to be good enough for the government. Axalto (Austin, Texas) has been providing smart cards to the U.S. Department of Defense, as well as several blue-chip firms.

In Axalto's internal deployment, employees cannot access e-mail without a smart card. "Initially, the reaction is negative for the first few months," relates Francois Lasnier, VP of banking for Axalto. "After that, people go beyond accepting it and realize the security they derive out of it. It becomes a normal, natural process to use the technology."

The question remains, though, will U.S. consumers accept the tradeoff? In Europe, at least, the customer reaction has been "very positive," notes Lasnier.