RealTime IT News

Companies Bid for Authentication Compliance Work

Now that Federal regulators will require banks to toughen security for Internet users through authentication, companies are searching for solutions that will ease the transition towards compliance.

The new security standards for online banking, established in a report published earlier this month by the Federal Financial Institutions Examination Council (FFIEC), says banks need to use two-factor authentication to reduce the occurrence of account fraud and identity theft.

The standards, which call for institutions to use more measures than just names and passwords, are to be in place by the end of 2006.

"The rapid rise of online banking has created a tempting target for fraud and identity theft, and we are in complete agreement with the FFIEC on the need for stronger authentication, Stu Vaeth, chief security officer at Diversinet, said in a statement. "We also believe that financial institutions deploying the right consumer security solutions will gain an important competitive advantage."

Diversinet is a provider of mobile-enabled personal authentication and security solutions for consumers and enterprise applications.

The government's report, "Authentication in an Internet Banking Environment," says single-factor authentication is inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.

It recommended "multifactor authentication", layered security or other controls reasonably calculated to mitigate those risks to reduce incidences of phishing.

"We also believe that financial institutions deploying the right consumer security solutions will gain an important competitive advantage," Vaeth said.

Banks and other financial institutions offering consumers the ability to conduct transactions over the Internet are expected use the two-factor authentication which Vaeth endorses as cost-effective, easy to provision and manage, and supports the greatest number of access devices. "We think software tokens on second-factor portable devices are the optimal solution that offers all these advantages," said Vaeth. "One-time password (OTP) tokens are a straightforward extension to existing static password-based systems, making them fairly simple to deploy."

However, Bill Calpin, president and chief executive officer of Digital Envoy, said the recommendations are lacking in several areas.

"We do believe banks need to ensure the authentication process is a seamless and painless experience for the banking customer, recognizing the potential for consumers to have multiple financial relationships that will be impacted - a key recommendation not addressed in the FFIEC Guidance," he said in a statement.