By Marisa Torrieri, Contributing Editor
Today, most corporate banks in the U.S., Europe and Latin America use two-factor authentication techniques to minimize security risks. But soon, your average, ATM-carrying Joe will join them, as a new breed of products offering amplified security hit the mass market.
In response to the increase in Internet banking fraud, which spawned new semi-mandatory recommendations by the FFIEC [see other story], a growing number of vendors are making and marketing two-factor authentication products. Whether software- or hardware-based, these products offer additional security beyond the single factor, password-only authentication used by banks today. Two-factor authentication offers users an extra layer of security to online banking transactions.
While many types of two-factor authentication, such as Public Key Infrastructure (PKI) and biometrics, solve the problem of insecure transactions, it's something simpler that tops the hot list for 2006 – One-Time Password (OTP) Generators.
OTP generators range in size and shape – some are tokens, others can be carried on key chains, and others can be embedded into cell phones. Most, however, work in relatively the same way. A bank customer uses a pre-determined PIN code, in addition to a new password generated on the spot by the OTP generator, to retrieve money or other financial data.
"The reason they're really hot is that they're portable," says Doug Graham, a former RSA Security executive who is now a security analyst for BusinessEdge Solutions – a high-tech consulting firm. "I can take them from machine to machine."
OTPs have proven effective in curbing phishing and pharming, two growing practices by which fraud artists trick online users into revealing personal financial information.
Here's a look at just a few vendors on the banking authentication marketplace, and what they're offering financial institutions:
Paris-based Xiring was founded in 1998. It earned its biggest bragging rights in 2001, when it helped MasterCard to design the CAP (Chip Authentication Program) specification. Today, CAP is the norm in the industry, says Nigel Reavley, director of Xiring's banking business unit. The latest version of Xiring's flagship product – a one-time password generator called "Xi-Sign 4000," which is based on the CAP/EMV specification – is set to hit the U.S. next year.
A number of things make the "Xi-Sign" unique, says Reavley. It was the first to be certified by MasterCard as CAP compliant and use the CAP application, a software program within the smart card, to generate one time passwords. Other systems rely on proprietary systems to calculate the one time password or rely on a synchronized clock – but this creates issues and cost when the token is lost or desynchronized, he says.
For banks migrating to EMV, "(the Xi-Sign 4000) is a good investment since the card and PIN number exist already and the bank doesn't have to reinvest," Reavley says. Every transaction done on the Internet instead of in a branch saves the bank $1, so after ten transactions, the bank breaks even on the cost of the OTP generator. The cryptogram's server (which costs between $50,000 and $100,000 to run) is paid for after 100,000 transactions, he adds.
Bedford, Mass.-based RSA Security boasts a number of two-factor authentication products and a customer base of more than 19,000 around the world. Its flagship product is the RSA SecurID two-factor authentication token, a small device that fits on a keychain and displays a random, six-digit passcode that changes every 60 seconds.
The generated passcode is entered manually (typed), along with a user name and PIN, to access strongly protected Web sites and corporate resources, says John Worrall, vice president of worldwide marketing at RSA Security. What's great, adds Worrall, is that the user gets 40,000-plus password changes every month and doesn't have to remember a thing. The company also offers a USB-enabled RSA SecurID token, and software-based tokens that may be downloaded onto a user's laptop, cell phone or other mobile device. "In the past several years there has been an upswing in interest in two-factor authentication," Worrall says. "In the corporate world, we're seeing more companies that want to protect their network from the inside, and they've begun to roll out two-factor authentication in association with the Windows logon."
The Fremont, Calif.-based public company formerly known as ActivCard provides a number of hardware- and software-based OTP authentication products to clients such as M&T Bank, China Trust and Allied Irish Bank. Its hot OTP products include soft tokens and USB keys. The company also offers a suite of products for secure remote access. The name change reflects the company's desire to be known as a provider of more than smartcards, says Julian Lovelock, authentication product manager for ActivIdentity.
Chicago-based Aladdin's suite of eToken products hit the market five years ago to provide what it calls "strong authentication for online networks" for a number of security applications. The company recently released a new OTP product based on its popular eToken security software for businesses that want to go digital. Aladdin's OTP eToken is based on the eToken NG-OTP device, and when combined with the vendor's eToken management system, gives a company secure access to its network and applications in both connected mode (with the USB connection) and detached mode (with the one-time password). The difference between eToken and a standard OTP device, according to CEO Steve Langerock, is that the Aladdin eToken includes a smart chip, which can be used for encryption and storage of passwords and digital credentials. That means "you the user have to authenticate yourself to the device" before beginning online transactions, Langerock says.
StrikeForce Technologies: Two-factor authentication is great, but the cost to banks to upgrade antiquated security systems can be overwhelming, says George Waller, executive vice president of Edison, N.J.-based StrikeForce Technologies. To compete with the likes of security-industry stalwarts, five-year-old StrikeForce released a software-based OTP system to complete its ProtectID authentication platform.
ProtectID is a "hack proof," "out-of-band" authentication solution that uses two separate pathways to protect a person's identification, says Waller. The first pathway is the traditional one where the user name is sent to the domain or Web server. The second pathway, usually a phone, is used to transmit a passcode or pin code. Additionally, a user can generate a One Time Password on the spot via his or her mobile device, PDA or computer. The platform offers users 10 different authentication methods, and costs less than competitors' products, says Waller. Usually, it breaks down to about $3 per user for 100,000 users on a yearly basis, he adds.
While OTPs aren't perfect (user data is still at risk, especially when it travels on public computers) they are smart investment for U.S. banks, consultant Graham says. Not only will they help banks earn high marks for being compliance with the FFIEC guidelines, they may help banks trying to woo customers with a high net worth. Such customers are likely more concerned with security, he says. And they may even provide a great advertising opportunity for banks wanting to brand OTPs with a particular logo, he adds.
"This [technology] has been available for a number of years," Graham says. "Banks are finally starting to realize that they have to do something stronger."