This blog posting will describe the evolution of authentication techniques commonly applied to online financial applications, including some of the benefits and drawbacks of the common methodologies.

User ID and Password

The most common authentication mechanism in use on the web today is a user ID and a password. This is considered “single factor authentication” because there is only one aspect (the password) that a bad-guy needs to compromise to break the authentication system.

In 2005 the FFIEC came out with a very strong guidance statement that said “The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.“ This caused financial institutions and their service providers to quickly begin to work to implement stronger controls.

Stronger methods (but not strong methods)

Some of the controls commonly implemented at that time were challenge questions, authentication cookies, or email-based one time passwords.

Challenge questions augment passwords by adding a number of other items an attacker would need to know to successfully authenticate. And a user could be challenged with different questions at different logins. However challenge question answers can be easily compromised – they can be stolen through phishing or other social engineering and more commonly nowadays they can be stolen by password stealing Trojans.

Email based one time passwords are passwords that are sent to the user at login, and the user must login to their email and then use the password to complete their login. These are easily compromised by password stealing Trojans as well.

Authentication cookies are persistent (meaning they don’t get deleted when you close your browser) files stored by your browser on your computer after you’ve logged in. The theory is that your computer would then act as a second factor of authentication, but authentication cookies are easily “broken” because password stealing Trojans also have the ability to copy cookie files off of compromised machines.

True strong authentication

Strong authentication is referred to as multifactor authentication because it relies on multiple methods or factors to uniquely identify that you are who you say you are. The most commonly used factors are grouped into something the user knows (such as a password or challenge question answer), something the user has (such as a token, atm card or id badge) or something the user is (biometric data such as fingerprints, voice, iris, etc.)

Here are some of the commonly used strong authentication technologies that are growing in popularity for protecting online financial services:

One Time Password Token

This is a device given to the user which provides a new single-use password to the user each time they log in. Some One Time Password Tokens use a time-based algorithm, providing a new password each minute or so. Others use a “each time the button is pressed” method for providing new passwords. One time password tokens are reliable and easy to use, and will work with pretty much any end user device. However one time password tokens are expensive per user, can be inconvenient for users to carry with them, and add a burden to the financial institution for deploying and replacing tokens.

Smart Cards and Biometrics

Smart cards are credit-card sized devices or USB devices that have a built-in circuitry and private keys to uniquely identify the user. Smart card adoption for online banking is slow, due primarily to the need for the user to have a compatible computer for the smart card reader and hardware, and the cost of providing cards and hardware to end users. Biometrics suffers the same challenges with the need to provide specialized hardware to users to be able to authenticate.

Phone Factor

Phone factor is an authentication technology that is growing in popularity for online banking services. With phone factor authentication, after the user provides their username and password, the system will send them a one time password either by calling their phone or sending an SMS text message. This method has the convenience and cost savings of not needing to provide additional equipment to the user. Key drawbacks for phone factor are the inconvenience caused to users to coordinate having their phone and waiting for a password when the login. There is also a burden on the FI to coordinate assignment of the phone number to the user. As mobile banking use grows and mobile phone malware increases, the strength of a cell phone as a secure second factor for authentication may be reduced.

It has been 10 years since the FFIEC first started pushing for stronger authentication for online banking. The reason we still struggle is because there really is no perfect solution. End users want simplicity, convenience and low cost, but strong authentication solutions are all complex, inconvenient, and costly to different degrees.

The next blog entry in this series will cover Layered Security as it relates to online banking.