2-Factor Authentication: Will Financial Institutions Really be More Secure

Share Article

Most 2-factor authentication solutions rely on validating consumer-supplied personal information against a database instead of using actual authentication algorithms. Financial institutions implementing such solutions may find they have purchased something that is little better than the simple "login/password" approach they were using before.

In October of 2005, the Federal Financial Institutions Examination Council issued a recommendation urging financial institutions to implement stronger (two factor) authentication before the end of 2006.

Two-factor authentication is the process of identifying someone using multiple factors. A real-world example of two-factor authentication occurs each time a person visits their ATM machine. They insert their bank card (the first factor) then enter a 4-digit pin (the second factor). Since they can supply both factors, the bank is reasonably sure they are the account owner and permits them to withdraw funds.

In the "virtual" world of online banking, however, consumers cannot insert their cards into their computer screens. Instead, online banks rely on other methods to gather substitute pieces of information, such as a login IDs and passwords. This reliance on consumer-supplied information as the primary authentication mechanism has created the current identity theft nightmare. Last year, the FDIC estimated over five billion dollars were stolen by identity thieves using stolen personal information.

"What is Your Mother's Maiden Name?"

Most multi-factor authentication methods are little more than enhanced login processes, as vulnerable to fraud and abuse by identity thieves as their predecessors. Others may be more complex, relying on information such as device IDs and shared secrets. Ultimately, no matter how they try to hide behind obscure process layers, at their core, such solutions still authenticate using consumer-supplied information which can be stolen by identity thieves.

One example of this can be seen in Passmark Security's Sitekey approach. According to the company's website, "every computer, PDA, phone, or other device that accesses a PassMark-protected Web site is quickly and silently assigned a Device ID". This information is then "encrypted and stored on the device using multiple simultaneous methods, including secure cookies, Flash Shared Objects, and other means". Sitekey-equipped websites later attempt to retrieve this stored Device ID and lookup personal information associated with this ID from the website’s database.

Behind this technical preamble is a simple fact. If no Device ID is found, as would be the case for millions of consumers who do not wish to have encrypted information silently stored on their computers by others, Sitekey prompts the visitor to answer a personal question such as "What is your mother's maiden name?" If the visitor answers correctly and has supplied the correct login/password, Sitekey lets them into the account.

Defeating multi-factor solutions such as Passmark's Sitekey, then, will be a relatively simple matter for identity thieves. They may have to take a few extra steps to steal the additional personal information from their victims, but ultimately they will continue to access victim’s accounts. Indeed, identity thieves may not even have to look very far to find the additional information. It may already be available in the form of millions of stolen database records.

Shared Secrets = Shared Risks

Most multi-factor authentication solutions record the consumer’s answers to their personal question prompts in a website database, to be retrieved later during the authentication process. Passmark Sitekey, Cyota eStamp, Authentify, all operate in this fashion. If the answers supplied by the visitor match the answers stored in the website database, the visitor is allowed to access the account.

Storing consumer personal information in a database and then validating this information as part of the authentication process is a recipe for a security disaster. The more organizations who subscribe to the same solution, the greater the risk for the entire group. A data breach at just one member will reveal the personal information used in the authentication process for any shared customers of the group.

In 2005, CardSystems made the news when 40 million of its data records were compromised. Bank of America, Peoples Bank, Ameriprise Financial, and a host of other organizations have also reported recent data thefts. Chances are, if you have ever entered your "mother’s maiden name" online as part of a website’s security process, there is an identity thief somewhere who has this information.

Is Any Authentication Truly Secure?

There is at least one multi-factor authentication solution that does not rely on consumer-supplied personal information as its authentication mechanism, or on personal information stored in a website’s database. PhishCops by Sestus Data Corporation uses government-approved mathematic authentication algorithms developed by the National Institute of Standards and Technology (NIST) and the Information Technology Laboratory (ITL) under the authority of the U.S. Department of Commerce.

Sestus Data Corporation reports PhishCops was designed from its inception in accordance with FDIC and FFIEC regulatory requirements and the U.S. government recently named PhishCops a semi-finalist for the Homeland Security Award.

This is good news for consumers. Even more encouraging for business owners is the fact that, in a recent survey of competitive solutions reported on Yahoo News, PhishCops was rated #1 among two-factor authentication solutions, offering the lowest total cost of ownership with the fastest implementation time and minimal support requirements.


Share article on social media or email:

View article via:

Pdf Print

Contact Author

Media Contact

Email >