New regulations have spurred growth in the authentication market and paved the way for innovative solutions to meet these requirements and consumer demands. From real-time verification to IP geolocation technologies, vendors are offering cost-effective and unobtrusive authentication products, primarily focused on financial institutions.
In late 2005 the Federal Financial Institutions Examination Council (FFIEC) issued a guidance stating single-factor authentication was no longer adequate for securing online banking transactions. While the guidance did not specify what types of technologies would meet the requirement, it provided a deadline of December 2006 to adhere to the guidance.
"What's important in this guidance is that it really doesn't explicitly state organizations must deploy stronger authentication. The guidance says it must be layered security," said Steve Neville, director of identity products and solutions for Entrust. Banks must interpret the guidance and implement a solution that makes sense for their organization.
"The [FFIEC guidance] has changed the paradigm of what it means to authenticate. Vendors have to come up with solutions that work but are also palatable to consumers and business customers," said Mark Diodati, senior analyst at the Burton Group. And palatable to the consumer can be a tricky proposition: Consumers are unpredictable in their preferences and may not be tech-savvy, increasing help-desk calls and adding cost to the financial institution.
To deal with this concern, vendors have come up with low-cost options for banks. Many have instituted challenge and response questions in which a bank asks for additional information from a consumer to verify their identity or gets known information about the customer and asks additional questions based on it.
"But the devil is in the details," warned Neville. While questions and answers can be fairly straightforward, getting the wrong information can add unnecessary cost. "If you ask a consumer an emotional question such as what is your favorite color, the answer can change depending on their preference at the time," said Neville
Vendors have come up with other solutions. Machine fingerprinting, for instance, establishes the identity of a user's machine--including information such as IP address and favorite browser--and creates a random machine identifier. Another option, IP geolocation, looks at the IP address to determine the assigned country, organization or user. Mutual authentication provides a customer with a picture and a caption they must verify to complete a transaction. Finally, risk-based authentication monitors customers' behavior and escalates verification based on abnormal action.
Biometrics and tokens have not been seen as viable options for typical online banking customers as they are expensive and require back-end integration, analysts said. These strong authentication methods are typically only offered to high-value transactions, they added.
Many hope that the increased security features in IE 7.0 will also help with security. The new SSL certificates warn a user of fraudulent sites, said Neville. While the FFIEC guidance is yet another regulation banks must comply with, some say it has had a positive effect. First, it has drawn a lot of businesses into the strong authentication market, said Sally Hudson, research director for market researcher IDC. Second, the regulation has forced some banks to shore up their security posture and lay the foundation for coupling authentication with fraud detection, said Neville. Meanwhile, the federal government's new mandate may jumpstart the adoption of smart cards in the United States. Homeland Security Presidential Directive 12 (HSPD-12), which took effect last October, requires every agency to use smart cards for physical and logical security.
"This is an unprecedented directive and the first time the president of the United States has said you must do X, Y and Z when it comes to information security," said Shannon Kellogg, director of government and industry affairs for RSA Security. IDC's Hudson expects to see a significant uptake in smart card adoption by the end of the year. But it won't be without hurdles. "There needs to be more integration on the back end with the card management infrastructure layer," said Hudson.
Still, such a wide federal government deployment could help iron out the kinks and make the solution more acceptable to the private sector. "Policy is driving convergence for physical and logical security. If it is successful it will drive more interest on the commercial side," said Kellogg. "This is not something that will happen overnight, but it has the potential to create a ripple effect in the market."