Two-factor authentication for bank web sites will be commonplace by the end of 2006 as federal regulators require improvements to online banking security.
One factor is something you know. The second factor will be something you have. Together, the two should help minimize the effect of weak passwords and some identity theft tactics used against people by criminals.
The Federal Financial Institutions Examination Council, comprised of the US Comptroller and agencies like the FDIC and NCUA, wants banks and credit unions to take steps to limit online crimes, Reuters reported. In an opinion written by the council, they criticized single-factor authentication as inadequate protection for online transactions.
A common second factor used by private companies, hardware tokens with codes that continually change, could be the technology of choice. The codes on the tokens change each minute, and even if a login and password fall into a criminal’s hands via a phishing scam, they would be useless without the second factor.
The switch to two-factor authentication will help secure banking transactions, but won’t be a panacea. Noted security expert Bruce Schneier wrote in April that while two-factor will solve passive gathering tactics that collect passwords, other problems will persist:
“What two-factor authentication won’t do is prevent identity theft and fraud. It’ll prevent certain tactics of identity theft and fraud, but criminals simply will switch tactics. We’re already seeing fraud tactics that completely ignore two-factor authentication. As banks roll out two-factor authentication, criminals simply will switch to these new tactics.
Security is always an arms race, and you could argue that this situation is simply the cost of treading water. The problem with this reasoning is it ignores countermeasures that permanently reduce fraud. By concentrating on authenticating the individual rather than authenticating the transaction, banks are forced to defend against criminal tactics rather than the crime itself.”
David Utter is a staff writer for murdok covering technology and business. Email him here.
