Online Businesses Step Up Their Authentication Services

For years, the onus has been on online consumers and banking customers to prove to online retailers and financial institutions that they are who they say they are. With the growth of phishing, pharming, and other cyberscams that trick users into divulging personal information, banks and businesses need to improve their ability to prove their institutional identities to customers before processing transactions.

Members of the Liberty Alliance Project last week formed the Strong Authentication Expert Group to build a framework requiring at least two forms of identity authentication before users access a network or online application. The framework, due out next year, will offer open specifications that let authentication technologies, including hardware and software tokens, smart cards, biometrics, and systems based on short-message-service technology interoperate universally across different organizations and networks. American Express, Hewlett-Packard, Intel, and the Defense Department have joined the Liberty Alliance group.

The Liberty Alliance's emphasis on improved authentication follows last month's demand by the Federal Financial Institutions Examination Council, a government interagency standards body, that financial-services companies create two-factor authentication for online applications that require banking customers prove their identities using more than just a user name and password. Liberty Alliance members and the FFIEC are concerned that online fraud and identity theft threaten use of the Web and online banking.

To ensure that investments in E-commerce and E-banking systems aren't undermined by security concerns, businesses and financial institutions are turning to tools that provide mutual identification between banks and their online customers. Entrust Inc., a provider of digital identity-security technology, last week introduced the latest version of its IdentityGuard software with mutual authentication features. IdentityGuard 8, which begins shipping in December, lets bank customers create a customized login page that they access each time they begin an online banking session. If the customer is directed to a login page without this customized information, such as a favorite phrase or a digital photo of a pet, the customer is tipped off that the page might not be legitimate. Another feature, for large, high-risk transactions, sets up a multistep login process. Once the login is initiated, the customer receives a phone call or E-mail from the bank with additional login codes to complete the transaction.

The Financial Services Technology Consortium, which evaluates technology development for the banking industry, in August launched a project to identify and define guidelines and standards for implementing mutual authentication. Says Jim Salters, the consortium's director of technology initiatives and project development, "If we do nothing about online fraud and identity theft, it will become a big problem."

Banks on the front lines battling fraud and identity theft know that even the perception of security problems will discourage customers from signing up for online banking or making online purchases. But financial-services companies have to provide tight online security without inconveniencing customers or passing along increased costs. First American Bank and Trust, a regional bank in Vacherie, La., outsources its online banking operations and security to FundsXpress Financial Network Inc. and SecureWorks Inc., respectively. First American IT director Gerald Rome says, with all the attention that phishing and pharming are getting, "it's an uphill battle to make people more comfortable with online banking, but if you're going to offer the Internet as a channel, you have to make it secure."