If anyone should be ready for the new environment of compliance and increased security in which corporate America finds itself, it's the financial sector. It's been living with heavy regulation since Granddaddy did his first banking, and tight security can actually be a major selling point to their customers. And the government has been proactive, to a degree, in this sector. Back in 2001, several interested regulatory bodies issued, and have since updated, guidelines for banks and similar institutions to operate securely in an Internet environment. They have recently supplemented it with a handy FAQ.
Numerous options
Some of the major options discussed in the guidelines are:
Shared Secrets – This is usually a password, but there are other forms. Challenge questions, such as asking your mother's maiden name, are a shared secret (the specific example isn't a very good one, but there are better ones). The Sitekey feature used by Bank of America is another interesting example. After you log in with your account number and password, Sitekey shows you a picture and phrase that you previously selected. The idea is to authenticate the site back to the user, because a phishing site would not know the Sitekey. But if the user forgets that a Sitekey should be there, a fake Bank of America site might not stand out.
Tokens – Three types of tokens are discussed: a USB key, which presumably would store a digital certificate; a Smart Card, which is similar to the USB key but uses a different reader; and a password-generating token that combines a private key (like a certificate) with a variable factor (like time of day) to generate a one-time password for the user. These are strong reinforcements to passwords, and the one-time password is stronger because it has a short lifespan. But if they are stolen, they can be used by anyone.
Biometrics – The document lists and discusses the major forms of biometric authentication already deployed or in development:
- fingerprint recognition
- face recognition
- voice recognition
- keystroke recognition
- handwriting recognition
- finger and hand geometry
- retinal scan
- iris scan
Non-Hardware-Based One-Time-Password Scratch Card – This is a non-electronic one-time password system that looks like a Bingo card. It's cheap, low-tech, and requires little training.
Out-of-Band Authentication – This is where the identity of the user is verified through a channel different from the one being used for the connection. If the user is logging on through the Internet, for example, the bank might call the cell phone number it has in the user's records and request that he enter a PIN (this combines a shared secret as well).
Internet Protocol Address (IPA) Location and Geo-Location – The idea in this scheme is to collect data on the computer and its Internet configuration in order to determine when that "user" connects from a different computer or location. The use of "Internet Protocol Address" in this term is somewhat anachronistic. IP addresses are no longer a reliable way to identify a connection, if they ever were. But there are many things a bank can collect to create a profile. If they change, it wouldn't be appropriate to block the user, but it might be appropriate to challenge them with pre-arranged personal questions. This term is also sometimes referred to as risk-based authentication.
Mutual Authentication – This is where the site and user authenticate each other, as with the Sitekey example above.
Customer Verification Techniques – This refers to investigative techniques to determine that the user is providing accurate and reliable information. For instance, confirming that the address provided exists in the Zip Code provided.
The Federal agencies that make available these documents have the right idea: it's not always best to have the strongest authentication possible, but multiple layers of authentication are usually a good thing, and single-factor only is usually a disservice to the customer and a failure to meet legal compliance obligations. Institutions need to assess risks of their applications and design authentication appropriate to the task.
This is how Bank of America authenticates customers..