Two-factor authentication for online banking: here are some key things to consider when trying to satisfy new federal banking guidelines to protect online account access.

* Out-of-band authentication provides a pathway separate from the Internet, usually using a cell phone, personal digital assistant (PDA) text message, home phone or voice-authentication system as a second factor by which to verify customer credentials. Some of the USB tokens noted earlier can also provide an out-of-band authentication component, usually by way of randomly generated numbers that change every 60 seconds or so, and must be used in conjunction with a login/password combination to gain access.

* IP addresses provide a way for servers to identify the geographic location and Internet connection characteristics of the customer's computer. That computer must match attributes associated with the user's IP address--country of origin, Internet service provider (ISP), Internet connection and routing type--in order to gain access to an account. If not, the user will also need to answer one or more challenge questions.

Some technology purists may argue that these approaches don't meet the traditional, textbook definition of two-factor authentication, in that they are not specifically authenticating a user's identity. While each of these approaches does verify the user's computer rather than the individual customer's identity, for many banking situations they provide a more-than-sufficient response to establishing an acceptable second authenticating factor.

By widening the range of acceptable factors, the FFIEC has strived to increase the adoption of multi-layered authentication without overly burdening financial organizations with strict requirements. Aside from requiring great cost and effort to implement, any such requirements might well be beyond an individual organization's assessed level of risk.

The best route

Once banks and other financial services firms have thoroughly assessed their online banking offerings and determined any risks or vulnerabilities, a secure and sufficient two-factor authentication system can be decided upon to meet the associated level of risk.

Some of the larger online financial sites and institutions have taken the step of distributing memory cards and USB keys to all of their customers. This may make sense for an organization large enough to absorb the costs of such an investment in technology and customer re-education, but it's far from a universal solution. Aside from the obvious money and effort involved in taking this route to employing two-factor authentication, there is also another, similarly less palatable aspect to this strategy.

Distributing a physical item to a financial customer can be a problem because of the way today's consumers use online financial services. Consumers are no longer tied to a single financial institution. Most have, in fact, more than one online account that they access regularly

Often, a single consumer will have multiple bank accounts in addition to a mortgage, home-equity line, various credit products, stock-trading accounts, alternative payment services and much more. Each of these many accounts, according to the FFIEC guidelines, now requires some form of two--factor authentication. Physically possessing--and carrying around for access--a separate key linked to each of these accounts is a cumbersome and unrealistic responsibility to impose on the consumer.

Concern for a positive customer experience has led most organizations to adopt a soft approach, usually employing some degree of mutual authentication and IP criteria combined. In essence, rather than distributing a physical token, the banking site places an electronic version of that key on the user's computer, which in turn becomes the second factor--aside from the user ID/password combination--needed to log on. Essentially, the user's computer itself becomes the "something you have."

The process is seamlessly transparent to the customer. During the initial online account setup, the computer being used is identified by way of IP address or some other identifying factor. The online banking site then sets a unique software token on that particular machine. Subsequent visits by the same computer are verified, in conjunction with the user ID/password, by the existence of that token. This is by far the most unobtrusive way to integrate two-factor authentication. As long as the same computer is used to access the account, the consumer will continue to log on unchallenged.

If the consumer uses multiple computers to access his or her account, subsequent machines must be individually verified. Generally, upon attempting to access the account from a new computer, the user will receive an e-mail from the bank at his or her address of record. The message alerts the consumer to the fact that a new machine is seeking authentication and access to the account. Once the consumer responds to that e-mail and answers a user-defined security question, the new computer is sent its own unique electronic token, similarly linked to the user's account.

Nothing is perfect

When trying to derail the most common phishing and fraud schemes, employing two-factor authentication is a significant step in the right direction. But it should be noted that while exponentially more effective than single-factor authentication, even multi-factor authentication is not an entirely foolproof method of stopping all attacks.

For example, on its own, two-factor authentication cannot provide sufficient defense against what are known as "man in the middle" (MITM) attacks. MITM attacks essentially establish a proxy server between the customer and the actual banking site (usually by way of some combination of e-mail phishing and site spoofing) that then becomes an invisible conduit between the two authenticated parties.

Trojans and other forms of malicious software can be hidden on the customer's computer, many times installing backdoors to control the machine, key loggers to capture and transmit privileged information, or "piggybacking" the user's secure connection to an institution to enact fraudulent transactions. Such sophisticated attacks can often bypass, or even subversively engage, two-factor authentication.

But while two-factor authentication may not alone be capable of warding off all possible attacks and intrusions, it does go a long way toward eliminating--or at very least substantially mitigating--the pervasive threats posed by phishing scams and other attempts at gaining access to a customer's account. The FFIEC recognized this in crafting its guidelines, understanding that losses could be greatly curtailed by eliminating what has become one of the most wide-reaching risks to online banking security.

Factoring for success

The FFIEC guidelines have been in effect since the end of 2006. Most organizations bound by the guidelines are already employing some form of two-factor authentication on their Internet-facing sites. Which form these implementations take is largely decided by internal risk assessments, organizational size and, to some degree, market factors.

For those in the process of establishing new online components or overhauling current online banking sites, the easiest route might be to employ or partner with a vendor that utilizes a soft approach to two-factor authentication.

Electronic tokens are unobtrusive, and their distribution and use are a seamless affair for the end customer. When combined with challenge questions, e-mail confirmations and traditional ID/password combinations, electronic tokens deliver a high degree of security, but with significantly less cost and effort than, for example, distributing thousands of USB keys and teaching customers how to use them.

Whatever route a company takes in meeting the FFIEC guidelines, it should be done knowing that the entire industry benefits when individual firms incorporate two-factor authentication. Reducing the effectiveness of phishing schemes and protecting access to funds and privileged information only serves to increase the overall level of trust between financial services providers and their customers.

Randy Schmidt is president of Data-Vision Inc., Mishawaka, Indiana. He can be reached at rschmidt@d-vision.com.