Two-Factor Authentication Tips in ’06

Most people don’t even know what two-factor authentication is, let alone use it…  but they will…  at least those that bank online or use eBay or PayPal (email soon too).  See the article below for the online banking details and see the following paragraph for the eBay/PayPal details.  And see some of my prior posts on RSA Security (RSAS), one of my fundamental picks in this space (I say “fundamental” because the technicals have been flat to down for many months now).

VeriSign (VRSN) is also high on my “fundamental” list based on its deal with eBay (EBAY), whereby eBay bought VeriSign’s payment gateway operation for $370 million.  As part of the deal, eBay will buy up to one million of VeriSign’s authentication tokens and distribute them to PayPal customers in 2006.  The tokens display a six-digit code that computer users type, along with passwords, to gain access to networks.  The code changes every minute, thereby deterring unauthorized access.

It should also be noted that AOL (a division of Time Warner, TWX) quietly rolled out RSA tokens last year and Etrade (ET) is promoting them heavily right now.  The bottom line is that two-factor authentication is coming on big time in 2006.  Sounds like a tipping point to me!  Cheers!  PS: Also watch for the wild stuff eBay is going to do with Skype, which it acquired a couple of weeks ago to the dismay of the herd of conventional-thinking reporters and analysts.

From the Wall Street Journal

U.S. to Require More Security
For Banks’ Internet Customers

Associated Press
October 18, 2005 12:11 a.m.; Page B13

Federal regulators will require banks to strengthen security for Internet customers through authentication that goes beyond mere user names and passwords, which have become too easy for criminals to exploit.

Bank Web sites are expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council said in a letter to banks last week.

In two-factor authentication, customers must confirm their identities not only through something they know, like a PIN or password, but also with something they physically have, like a hardware token with numeric access codes that change every minute.

Other types of two-factor authentication include costlier hardware involving biometrics or "smart" cards that would be inserted into designated readers on a user’s computer.

Banks might also issue one-time passwords on scratch-off cards or require "secret questions" about a customer’s account, such as the amount of the last deposit or mortgage payment.

The council also suggested that banks explore technology that can estimate a Web user’s physical location and compare it to the address on file.

The most common way of stealing consumers’ personal identity data and financial account credentials online, known as "phishing," typically involves sending emails that direct unwitting users to phony Web sites. Data harvested at such sites is then used fraudulently.

The Anti-Phishing Working group, an industry association, reported 13,776 unique types of phishing attacks in August.

While some financial institutions have given their customers electronic password tokens, those have tended to be optional. Other banks have instituted password entry through mouse clicks instead of typing, a protection against keystroke-snooping programs.

But in general, the industry can do more to stop account fraud and identity theft, according to the financial institutions council — which includes the Federal Reserve; the Federal Deposit Insurance Corp.; the U.S. Comptroller; the Office of Thrift Supervision and the National Credit Union Administration.

FDIC spokesman David Barr said the rules will serve as standards that will be checked when banks’ practices are audited.

Although the requirements apply just to financial services companies, the policy could stimulate wider use of two-factor authentication by other merchants that are willing to "federate" their Web sites with banks, said Michael Aisenberg, director of government relations for Internet services provider VeriSign Inc.

VeriSign is a member of the Liberty Alliance, a group that is working to develop standards for federated authentication. In a federated system, a two-factor login at one site would be recognized by another, so a travel agency associated with your bank would automatically grant you access if you came straight from the financial institution’s Web site.

At the very least, Mr. Aisenberg said, "The securities industry is going to have to go along and other regulated sectors will no doubt follow along as well."