Now that the FDIC has officially come out in favor of two-factor authentication, it’s only a matter of time before every major bank has upgraded their login procedures.
According to a Dec. 24 New York Times article, E*Trade Bank will be the first US bank offering two-factor authentication for retail customers. They are expected to use a token system similar to that used by AOL and several international banks including ABN Amro, Credit Suisse, Rabobank, and First National Bank (South Africa), winner of Online Banking Report’s Best of the Web in November.
E*Trade’s system is expected in Q1 2005 and will be optional for the customer. It’s already in testing with 200 customers.
US Bank is also said to be testing a token system from Verisign.
Analysis: A simpler solution needed for the mass market
We commend these banks for doing something to reassure frightened users. According to Forrester, 26% of online users have not applied online for a financial product due to phishing fears and 14% have stopped paying bills or banking online. Finally 20% have stopped opening emails from their financial providers.
However, a hardware token is overkill for most retail users. It requires ongoing maintenance expenses, tech support, and is a logistical headache for the end user. It’s kind of like a car alarm. They make sense if you live in a high-crime area, but mostly they are just a nuisance.
Luckily, there are simpler choices on the way. Just yesterday, an interesting company was profiled in The Seattle Times, BioPassword. Its software records the unique typing patter of the end-user and will keep out anyone else attempting to type the user’s password. At a recent conference, the company offered up to $100,000 to anyone who could successfully login to its account, even after they’d been told what the password was. Not one of 1200 attempts was successful.
Another interesting alternative to tokens is Entrust’s IdentityGuard which Forrester analyst Jonathon Penn raved about in a November 19, 2004 research note. The Entrust solution is a low-tech version of the token, using a paper-based "bingo card" users are asked to enter digits from certain rows/columns of the card (see card right).
Another solution receiving a lot of attention, partly because ex-Intuit CEO Bill Harris is founder, is PassMark. The company touts its "2×2 factor" program that authenticates users to the bank and the bank to the user. The latter is done via visual aid, hence the company name. They also have an excellent easy-to-digest demo.