Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Management Strategies

03:18 PM
Ivan Schneider
Connect Directly
RSS
E-Mail
50%
50%

All Together Now

With the FFIEC's guidance stating that banks should implement two-factor authentication for Internet services that involve sensitive customer information or movement of funds, the status quo in information security in banking has been quickly overturned.

With the FFIEC's guidance stating that banks should implement two-factor authentication for Internet services that involve sensitive customer information or movement of funds, the status quo in information security in banking has been quickly overturned.The FFIEC guidance raises the minimum standard by mandating two-factor authentication by the end of 2006. Now, a bank that may have held off on implementing a two-factor solution for the fear of getting too far ahead of the mainstream market can move ahead without fear of losing customers to security laggards. There may still be laggards, but the differences won't be as stark as they were in the past.

The 2006 deadline means that banks not only have to figure out how to deploy two-factor authentication, but also to figure out which alliances and standards bodies they should join for deployment. In the absence of some level of industry consensus, customers will be asked to adopt a different authentication technique for each bank they do business with. One result could be "token necklace" syndrome, where someone has to carry around several different identification dongles. Or worse, a single customer may have to use a USB token for one bank, a smart card for another, and a one-time-password device for a third. Someone in either situation would be likely to get frustrated and end relationships with the financial institutions having the most troublesome authentication methods; which, counter to the intent of the FFIEC guidance, would reward the banks adopting the minimum standards.

An alternative is for the banks to decide upon a common, interoperable standard for authentication. Since the choices of method are numerous, with debatable merits and variable costs, I don't really expect this to happen.

But there's another option: Instead of each bank deciding which form of authentication it wants all of its customers to use, perhaps the choice should be that of the customer. Imagine if every single Internet banking customer received the same letter in the mail:

Dear Internet Banking Customer:

In order to protect your information and secure your funds, please select one of the following authentication methods as the one that you will use by the end of 2006:

  • USB token
  • Smart card
  • Password-generating token
  • Password-generating mobile phone
  • Biometric reader

You will be able to use this authentication method for all of your banking relationships.

Signed, The Banking Industry

How's that for putting the customer first?

Register for Bank Systems & Technology Newsletters
Slideshows
More Slideshows
Video
All Videos
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.
FULL SCHEDULE | ARCHIVED SHOWS