Tech Talk


Multifactor Momentum

Authentication technologies to identify consumers online are becoming more accessible and acceptable

By Maria Korolov

Multifactor authentication, the process of using more than one method or system to confirm the identities of consumers online, has been around for years. But recent regulatory guidelines, increasing criminal activity, lower costs and growing consumer acceptance have combined to bring the technology into the process for community banks more than ever before.

“The fact of the matter is passwords are inherently weak,” says Adam Glick, information security officer at Century Bank in Medford, Mass. “We are trained to use complex passwords that are difficult for a human to remember but easy for a computer to crack.

“Out-of-band, two-factor authentication—or adaptive authentication that learns your general usage habits such as where you usually work from, what computer you use, what time you use it, etc.—can be seamlessly implemented and greatly increase your overall security posture.”

In the past, the focus of regulators was on the largest banks, but that has been shifting, says Shahryar Shaghaghi, former director of Citibank’s institutional client group who is now part of the IT division of the New York management consulting firm Kurt Salmon. “They’re now including smaller financial institutions.”

The Federal Financial Institutions Examination Council released guidance in 2011 extending multifactor authentication guidance to smaller banks. The next phase of regulatory activity is likely to be mobile banking, says Joram Borenstein, vice president at compliance provider NICE Actimize in New York.

“Mobile banking is in everyone’s sights,” he says. “It’s clear that banks are seeing more and more transactions coming through mobile banking. Two years ago, it might have been just checking balances. Now people are depositing checks, making payments, things of that sort. That will be the next focus of regulators, in the next 12 to 18 months.”

Multifactor authentication is usually defined as “something you have, something you are, and something you know.” Typical implementations include text messages with one-time passwords, digital certificates stored on devices, USB keyfobs and biometrics. Many community banks get their multifactor online security through their core technology providers. Others turn to specialized security providers, or build their own. There are even free, open-source tools that banks can set up and configure if they are inclined to build their own multifactor systems.

As the field technology options matures, the offerings available through the core banking providers are becoming more sophisticated, less expensive, and easier to use and manage.

John Zurawski, vice president for Authentify Inc., an authentication service provider in Chicago, says community banks are continuing to expand the use of one-time passwords delivered to customers via text message. Other banks are using voice telephone calls synchronized with an online banking session, he says.

Some are using what he calls “post-login authentication” verification to prevent a hacker from intruding an online banking session in progress, the so-called man-in-the-middle cyberattack. For example, if a hacker attempts to hijack an in-progress online banking session by adding extra, authorized transactions—such as adding a new payee in Mongolia and initiating a fund transfer to the intruder in the process—the user might be contacted on a separate channel to confirm the details of that transaction.

On the users’ side, consumers are getting used to seeing two-factor authentication everywhere they go, Glick says. “Many companies such as Google, Dropbox, LinkedIn and Amazon are using a less traditional method of out-of-band two-factor authentication where you are sent a challenge code via text or phone call when logging into an ‘untrusted’ machine,” he says. “This is becoming increasingly popular and does not require a separate piece of technology such as a token.”

And even tokens are getting easier to use, Glick adds. “Physical tokens are being phased out with digital tokens and certificate based two-factor authentication is almost invisible,” he says. “Most users are entirely unaware if they are utilizing a custom certificate to authenticate to a website—until it expires.”

There is still work to be done, however, observes Adam Roth, a cybersecurity expert at the security consulting and technology firm Longbow LLC in Denver. Additional layers of security, physical or virtual, do add inconvenience for customers, he says. But in the near future greater technical standardization among authentication systems and platforms should make additional digital security layers easier to deploy and use, including those using biometrics.

“If we moved into a type of standardization, where I as a user would be able to use a secure identification token that I purchased one time—and could use on my banking website, my email website, my stock exchange website—,” Roth says. “… I think it would make it much more user friendly as well as more cost-effective for everyone.”

Maria Korolov is a business and technology writer in Massachusetts.