Companies Bid for Authentication Compliance Work

Now that Federal regulators will require banks to toughen security for
Internet users through authentication, companies are searching for solutions
that will ease the transition towards compliance.

The new security standards for online banking, established in a report
published earlier this month by the Federal Financial Institutions
Examination Council (FFIEC), says banks need to use two-factor
authentication to reduce the occurrence of account fraud and identity theft.

The standards, which call for institutions to use more measures than just names
and passwords, are to be in place by the end of 2006.

“The rapid rise of online banking has created a tempting target for fraud
and identity theft, and we are in complete agreement with the FFIEC on the
need for stronger authentication, Stu Vaeth, chief security officer at
Diversinet, said in a statement. “We also believe that financial
institutions deploying the right consumer security solutions will gain an
important competitive advantage.”

Diversinet is a provider of mobile-enabled personal authentication and security solutions for consumers and enterprise applications.

The government’s report, “Authentication in an Internet Banking
Environment,” says single-factor authentication is inadequate for high-risk
transactions involving access to customer information or the movement of
funds to other parties.

It recommended “multifactor authentication”, layered security or other
controls reasonably calculated to mitigate those risks to reduce incidences
of phishing.

“We also believe that financial institutions deploying the right consumer
security solutions will gain an important competitive advantage,” Vaeth
said.

Banks and other financial institutions offering consumers the ability to
conduct transactions over the Internet are expected use the two-factor
authentication which Vaeth endorses as cost-effective, easy to
provision and manage, and supports the greatest number of access devices.

“We think software tokens on second-factor portable devices are the optimal
solution that offers all these advantages,” said Vaeth. “One-time password (OTP) tokens are a straightforward extension to
existing static password-based systems, making them fairly simple to deploy.”

However, Bill Calpin, president and chief executive officer of Digital
Envoy, said the recommendations are lacking in several areas.

“We do believe banks need to ensure the authentication process is a seamless
and painless experience for the banking customer, recognizing the potential
for consumers to have multiple financial relationships that will be
impacted – a key recommendation not addressed in the FFIEC Guidance,” he
said in a statement.

News Around the Web