Dual authentication (Multi-Factor Authentication) are increased authentication measures required by the FFIEC that will require Internet banking users to log-in with multiple factors, instead of just a user ID and password. Dual authentication for online banking is required even if it isn’t 100% secure yet.
This new multi-factor log-in requirement for online banking can be accomplished with any combination of what the user has (a card or a token), is (thumbprint) or knows (password). In most cases this will be a password (something you know) combined with any of the options listed below. The most secure logins will have a combination of these, such as a thumbprint and a USB token.
Dual authentication can make users feel like the internet banking site they are using is more secure. Other customers view it as a complete hassle. The fact is that, dual authentication for internet banking is required by the FFIEC. A secure dual authentication internet banking solution is possible. Remember, secure authentication should be a combination of something you have, something you are, or something you know. Here are some possible options:
Scratch Card
Each time you log-in, the system can tell you which space on your scratch card to look at, you scratch it off (similar to a lottery ticket), input the code, and there is your dual authentication.
Customer Authentication
This is where the bank shows the customer that this is truly the bank’s site, and they are not on a phishing site. This can include a picture predetermined by the bank and the customer to show up every time the customer logs in.
Shared Secrets
A website could show the user some shared secrets such as their favorite teacher, father’s birthplace or any other random questions. This could be expanded upon by having the customer type in responses to questions previously asked by the financial institution.
Tokens
USB password generating tokens can qualify as something the customer has. These password generating tokens would be simple to use on most modern machines and cost effective. Furthermore, some of these tokens could generate a password and have it display a password on the screen for the user to type in on the website.
Keystroke Recognition
Some corporations are considering keystroke recognition. This software logs patterns of how users type in their password, and are therefore authenticated by how fast the keys are typed or how hard they are pressed.
Geo Location/ IP Recognition
This system will only allow access to the financial institution from only select regions or IP addresses. This obviously limits users to where they can access their accounts and some institutions are questioning its security.
Biometrics
This is something the user is, such as a thumbprint or retinal scan. This obviously sounds like an expensive solution, having to put thumbprint scanners with many computers, but this could be rectified in the future with technological advancements.
Institution Confirmation
This will be initiated by the user logging in with a password, thus triggering a response from the institution. The financial institution will call, text message or email users. Once the bank receives a positive response from the user they will allow access to the internet banking site, until they log out again.
Every internet banking site will be required to have multi-factor authentication installed or a plan to go-live with multi-factor authentication by December 31, 2006. Risk Analysis and management will be required for dual authentication, but the FFIEC has not set out any guidelines on how to audit these systems yet.
However, The Garland Group includes Dual Authentication as part of our FFIEC audits and risk assessments.
