"Authentication in an Internet Banking Environment"
Posted by Brian Wong
On October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) issued the guidance "Authentication in an Internet Banking Environment." The FFIEC considers single-factor authentication to be "inadequate for high-risk transactions involving access to customer information or the movement of information to other parties."
Banks offering Internet-based financial services are expected to adopt "two-factor" authentication no later than the end of 2006. Two-factor authentication requires customers to confirm their identities with information they control, such as a PIN or password, and with - typically - a physical object like an electronic password token with numeric access codes that change every minute, "smart" cards that would be inserted into a readers on the user's computer, or costlier solutions involving biometrics. Banks could also issue one-time passwords on scratch-off cards or require "secret questions" about a customer's account, such as the amount of the last deposit or mortgage payment. An FDIC spokesman said the rules will serve as standards that will be checked when banks' practices are audited.
The requirements only apply to financial services companies, but could lead to wider use of two-factor authentication by other merchants that are willing to "federate" their Web sites with banks. In a federated system, a two-factor login at one site would be recognized by another, so, for example, a business associated with a customer's bank would automatically grant access if the customer came straight from the bank's Web site.
Have developed a prototype for a unique approach to multi-channel, multi-factor authentication via web.
Have just begun to seek funding to make it happen.
Interested in any participants who are security experts or who work with or work in banks or other financial institutions.