Bank of America wins the race to be the first with a viable plan to secure consumer online banking accounts. In an announcement today, it becomes the first major U.S. bank to endorse multi-factor authentication for consumers at login.*

The system, already in use at Stanford Federal Credit Union, is called SiteKey. The clever approach from Bill Harris’s PassMark Security provides several layers of security to defeat phishing and keylogging attacks. The company calls it two-way two-factor authentication because not only does the end-user authenticate themselves to the bank, the bank authenticates itself to the user to defeat phishing schemes.

Here’s how it works (click on inset below for BofA page):

1. User provides username
2. BofA verifies that the login request is coming from the user’s previously registered computer; if NOT, user must successfully answer a challenge question based on previously registered shared secrets
3. After passing steps 1 and 2, the user is shown their previously selected image, so they know they are logging into the true BofA server
4. User enters their password

The service launches in mid-June in Tennessee with full roll-out by the end of the year.

Analysis
Even though it’s long overdue, we applaud Bank of America for moving the industry forward. While the program won’t be available system-wide until year-end, we’re giving it an Online Banking Report "Best of the Web" now because it’s the biggest development in U.S. online banking for several years.

The BofA/Passmark system is ingenious for several reasons:

• Unless a user logs in from a new computer, there is little extra work involved; just a two-step login with username, followed by the password
• Requires no hardware or out-of-channel coordination by the end-user; shouldn’t cause a major increase in customer service expense
• Defeats phishing by displaying a personal image prior to asking for password
• Defeats keylogging with the rotating challenge question

If you are at one of the other 15,000 financial institutions in the United States, the clock is now ticking. As your customers find out they are not among the 13+ million consumers (BofA’s current online base) receiving extra protection, they will be demanding the same from you. And if you thought BofA was aggressive in its free bill pay promotion, wait until you see the marketing blitz on this one. Extra authentication simply MUST BE in your 2006 plans.

— JB

*For several years, ING Direct has asked for a third bit of info at login, but the necessary info is relatively easy to obtain (for example, zip code). Also, earlier this year, E*Trade launched security tokens for its high-rollers. But BofA is the first with a broad, secure, and non-hardware-based approach.