Single-factor authentication usually consists of "something you know". However, generally, these could be susceptible to attacks that could compromise the security of the application. Some of the more common attacks can occur at little or no cost to the perpetrator and without detection.

Such programmes are readily available over the internet. If undetected, the perpetrator could access the information without alerting the legitimate user. This is the reason of using a strong user authentication process to protect the data and systems. The need for strong user authentication has many benefits.

One example of strong user authentication is amply demonstrated by the use of ATMs - access to an ATM is protected by a strong user authentication; a bankcard, and a PIN. How many customers would use an ATM if only a reusable password or PIN scheme allowed access to their accounts? The same security approach should be applied to electronic banking services, especially when using the internet, since the perceived risks are by far greater.

In addition to reducing the risk of unauthorised access, two-factor authentication also provides institutions with a foundation to enforce electronic transactions and agreements. First, effective authentication provides the basis for validation of parties to the transaction and their agreement to its terms. Second, it is a necessary element to establish authenticity of the records evidencing the electronic transaction should there ever be a dispute. Third, it is a necessary element to establish the integrity of the records evidencing the electronic transaction. All of these elements promote the enforceability of electronic agreements.

Financial institutions should assess the adequacy of existing authentication techniques in the light of changing or new perceived risks (increasing ability of hackers to compromise less robust single factor techniques). According to the ICSA (International Computer Security Association), 80 per cent of system undermining occurs from within the organisation. The Basle Committee on Banking Supervision advises financial institutions to consider the apparent risks of offering internet banking services based on PIN alone. Single factor authentication alone may not be commercially reasonable or adequate for high-risk applications and transactions.

Systems linked to open and untrusted networks like the internet are subject to a greater number of individuals who may attempt to compromise the system. Attackers may use automated programs to systematically generate millions of numerical combinations, in the case of systems relying on PIN alone, to learn a customer's access code (brute force attack).

Would consumers perceive this as a secure way of doing their banking over the internet, which is technically an insecure medium, when at the same time they are obliged to do their banking via an ATM using two-factor authentication?

Consumers rely on, and gain comfort from, a strong user authentication method to protect their sensitive data and money. Also, financial institutions can hold users accountable for controlling their cards and PIN. The combination of two authentication factors is what enables users and financial institutions to hold each other accountable.

The importance of risk assessment

There are a variety of authentication tools and methodologies financial institutions can use to authenticate customers. These include the use of passwords and personal identification numbers (PINs), digital certificates using a public key infrastructure (PKI), physical devices such as smart cards or other types of "tokens", database comparisons, and biometric identifiers. How whichever authentication tool is chosen heavily depends on the type of service and across which channel together with a risk assessment that the financial institution must carry out in order to ensure that the perceived risks are adequately mitigated.

An effective authentication program should be implemented on an enterprise-wide basis and across all services channels, for example internet, telephone and call-centre services, to ensure that controls and authentication tools are adequate. Authentication processes should be designed to maximise interoperability and should be consistent with the financial institution's overall strategy for electronic banking and e-commerce customer services.

The implementation of appropriate authentication methodology starts with an assessment of the perceived risks to the institution's electronic banking systems.

The perceived risks should be evaluated in the light of the:

• channel through which the organisation shall be offering its service, for example internet;

• services offered (third-party bill payment);

• monetary-value and frequency of transactions passed through the channel;

• sensitivity and value of the stored information to both the institution and the customer;

• ease of using the method e.g. token card, smart card or PKI (public key infrastructure);

• legislation, that is Banking Act 1994, Prevention of Money Laundering Act 1994, Professional Secrecy Act 1994, Electronic Commerce Act 2001 and the Data Protection Act 2001.

The use of token or smart card devices in the organisation will cause some major changes - change doesn't come easy. Employees and customers will need to get accustomed to having their cards in their possession at all times. People in general tend to be already accustomed to this fact - hardly anyone ever leaves home without first making sure that the mobile phone is on hand, together with an array of plastic money.

The token card will become just another of those essentials. Most organisations have deployed electronic cards to allow authorised personnel to access their office buildings. Patrons are no longer given a key to their hotel room but an electronic key card. So really, the culture and acceptance of using token card/smart card based solutions to access electronic banking systems is generally on the upswing.

Top of Page

Top