Two-Factor Authentication: The Single Sign-on Solution?
New online risk-monitoring and strong-authentication technologies are helping banks meet looming FFIEC online authentication deadlines
No one likes passwords: good ones are long and thus hard to remember, and resetting passwords takes time and customer-support resources.
As a result, many organizations are looking for a better way to manage authentication. That includes the San Antonio City Employees Federal Credit Union (CECU) in Texas, which has over 100 employees, roughly $272 million in assets, and 42,000 members. “About two years ago we began looking into a single sign-on solution for all of our employees,” says Steve Schipull, CECU’s senior vice president of finance and technology. Schipull, a former auditor, categorizes himself as “a CFO with other duties,” which include directing the credit union’s security and compliance efforts.
One driver for single sign-on was the cost of supporting password resets. “The help desk was getting call after call: can you reset our password?” he notes. Of course, security best practices dictate employees use long passwords, which CECU required, but that has repercussions. For example, “sometimes they’re so complex you have to write them down,” which, from a security perspective, is not desirable behavior. Accordingly, he began looking for a way to simplify the password process, improve security, and save money by reducing help desk calls.
The credit union isn’t alone in its quest to move beyond passwords. Numerous organizations today are trying to make authentication easier, and that’s especially true for financial services firms. In October 2005, the Federal Financial Institutions Examination Council (FFIEC) issued new guidelines for financial services firms’ customer-facing online authentication practices, saying passwords are not enough. “The new guidelines do not mandate any specific technology but require firms to establish formal programs for measuring the risk of various online activities, and deploy solutions that mitigate those risks,” notes Jonathan Penn, an analyst at Forrester Research, based in Cambridge, Mass. Although the FFIEC regulations will not be enforced until the end of this year, he says most financial institutions still have a long way to go before they’ll be in compliance.
To comply with the FFIEC guidelines, banks are increasingly bolstering their risk-monitoring and strong-authentication controls. Penn says the leading vendors of such software are RSA (which made two related acquisitions recently—of Cyota and PassMark), followed by VeriSign and Entrust.
A number of new technologies may also help firms better protect their customers. “Many of these are quite novel, and some are downright unconventional, though potentially quite effective nevertheless,” he says. “Some of the more innovative approaches to authentication include technologies offered by Bharosa, Passfaces, BioPassword, and iMagic Software,” though such products are relatively new. As a result, “Most of these technologies have not been sufficiently vetted in the marketplace to help banks determine how well they work across large populations of users, whether consumers will accept the changes, and what the best practices are for configuration and rollout.”
When investigating a better approach to passwords for CECU employees, Schipull initially began investigating two-factor authentication via fingerprint readers, and then adopted fingerprint readers for all employees. He also came upon so-called keystroke biometric capabilities from BioPassword Inc. Its software, which can be used for logging onto PCs, network resources, or Web sites, builds a biometric using a person’s unique typing rhythm. “I was initially skeptical,” he says, “so I watched the guy type—it was a very basic password—and I watched it, then five or eight times tried to enter it, and I couldn’t get it accepted.”
Schipull says he also vetted other options, including PassMark, which makes users select the correct photo before logging in—primarily to prevent phishing—but after further testing, ultimately tapped BioPassword to secure 10 of the credit union’s mobile devices. “We have numerous, password-protected sites that we have to visit. For me, it was much easier to use a fingerprint device to capture all that information,” he says. “However, BioPassword has a use as well, for all of our mobile devices,” principally so users don’t have to carry a USB fingerprint reader.
Now, the credit union uses a networked version of BioPassword, tied into its Active Directory installation, and running on a Microsoft Windows 2003 Server. The first time users start a PC protected by BioPassword, they must type their password 10 to 15 times so the software can build the biometric algorithm. Thereafter, BioPassword runs and watches every user log-on—the mobile users still need a password, instead of only relying on a fingerprint—and the software blocks access if the cadence doesn’t match. “It was very easy to deploy from an administrator standpoint; my network admin guy had it up and running very quickly,” says Schipull, who notes the product “does what it’s designed to do: to allow access to the people who are only supposed to use that device.”
Based on its experiences with BioPassword, the credit union now plans to deploy the technology for its consumer banking site, initially as a monitoring tool, and in the future, perhaps as a log-on control. Schipull says the chief consideration for deploying such technology was to not adversely impact the customer’s banking experience by making them have a key fob, select from a list of photographs, or answer challenge questions. “You’re adding that additional security without having the member change what they’re used to,” he says. “This will work against a keylogger program that’s automated, because it’s not going to know the cadence of how you type, and it also works from an anti-phishing perspective, because if you go to a site, it’s not going to have the BioPassword check” when a user tries to log on.
Beyond using new types of authentication, financial firms also have new ways to tap the kinds of risk-based controls long used to watch for check fraud and physical credit card theft, yet which today are rarely applied online. “You’ve never gotten a call, I presume, saying, ‘Was that you online yesterday?’” says Bob Ciccone, CEO of Cydelity Inc., based in Santa Clara, Calif. “That’s a channel that still needs coverage, from a fraud-exposure management perspective.”
Cydelity’s software, eSentry, can watch online financial business processes to detect potential fraud, then react by sending an alarm to a bank’s fraud investigator, he says. “We’re a silent factor. Soft factor is a browser, hard factor is hardware, and silent factor is where you’re let in, and your factor is your behavior.”
To build a picture of a bank’s business processes, so it knows what to monitor, Ciccone says eSentry begins by sniffing the network traffic. “The product already knows that it’s looking for balance checks, bill payments, online transfers. It just has to be mapped to the particular URL sequence,” he says. With a list of typical network activity, “we ask the administrator: Where is the balance check for the checking account? Where is the bill pay? There are only about 50 things you can do in these banking applications, so mapping to the URL and the syntax in that URL is not bad,” and only takes a few hours, he says.
While banks already have fraud departments, they typically lack visibility into online processes, says Ciccone. “The fraud department already has mechanisms set up to stop things like wire transfers and online bill payments,” yet “there has been no guard for the online channel.” Traditionally, the e-commerce and information security groups handled the online channel, but increasingly, banks want all suspicious activity routed through their fraud departments.
When it comes to securing online transactions, however, banks are also wary of making online banking any more difficult for customers, for example by requiring additional types of authentication. As a result, says Ciccone, risk-based controls “resonate with a lot of financial institutions because they don’t want to lock the front door any harder than it already is.”