Pros and cons of multifactor authentication technology for consumers

Multifactor authentication is achieved by combining two or three independent credentials to identify a user: what you know, what you have and what you are. A single authentication based on what you know is not enough to protect the user.

There are several types of multifactor consumer authentication technology from which to choose. This tip will briefly touch on the various flavors of the technology, the pros and cons of each and how to know which type is right for your financial services organization.

What to consider
Consider the following multifactor authentication schemes:

Fingerprint on smart card
One way of better securing the smart cards if lost or stolen is to add the customer's fingerprint to them. The upside of the technology is that the fingerprint is difficult to duplicate. No fingerprints of each individual are exactly alike.

The downside is that although a fingerprint-based system is the most common form of biometrics, it is not 100% reliable. There are a few instances where fingerprints are difficult to scan (e.g., genetic defect) The system is frequently configured with a backup authentication mechanism -- such as a PIN or password -- that can be entered in the event that the bank can't get a good scan. This additional feature, however, may raise the costs of financial services for consumers.

All financial institutions must comply with the IASC X9.84 Biometric Information Management & Security for the Financial Services Industry on sec

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Architecture Insider Winning the war: Personal information protection Why financials must implement Web application security best practices Identity management for financial firms in turbulent times Identity management for financial firms in turbulent times How to use data loss prevention tools to stop data exfiltration Security questions to ask SaaS vendors when outsourcing services Book chapter: Remote deposit capture risks How to communicate the value of security controls for online transactions How to perform a network device audit Emerging themes in identity access management Secure user and consumer authentication Winning the war: Personal information protection BITS releases guide for implementing email authentication protocols Identity management for financial firms in turbulent times Biometrics project studies ways to combat bank fraud Study of banking malware analyzes underground economy Emerging themes in identity access management IBM USB banking device stops keyloggers, malware Integrating biometric authentication with Active Directory Biometrics: Taking authentication to the next level Can email fraud be reduced by sending full statements, PKI technologies? Authentication methods for financial services BITS releases guide for implementing email authentication protocols Banks, e-commerce sites use device identification to stop fraud Evolving authentication methods in the financial industry Identity management for financial firms in turbulent times Biometrics project studies ways to combat bank fraud Consumer authentication in the financial industry Emerging themes in identity access management Security on the street with SearchFinancialSecurity.com: Mobile banking Privileged password management steps to success The evolving value proposition and impact of identity management

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary mutual authentication  (SearchFinancialSecurity.com) Real ID  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

uring biometric information. Banks should consider storing customers' fingerprints on a smart card for use with the ATM machines.

Biometrics for secure mobile phones
With biometrics on the mobile phones, consumers can securely view their account balances, pay bills and transfer money using mobile applications. Users have a choice of swiping their fingerprints on a scannable area on the phone or a scanning device connected to the phone. This feature differs from the way a fingerprint is stored on a smart card in that the ATM machine is used to verify that the fingerprint is indeed the owner's.

The upside is it is more convenient for the customer to use the mobile phone tied to biometric data while he or she is on the raod. The downside is that it is a bit inconvenient to plug in a scannable device to the mobile phone or clean periodically the scannable area on the phone.

Banks, credit unions and investment securities firms should consider tying a secure mobile phone with biometric data to a person to help prevent a thief from accessing financial applications posing as the phone's rightful owner.

One-time password
For financial services consumers, a OTP will make it more difficult for a thief to gain unauthorized access to their online accounts -- by altering the password after each use. The first type of OTP uses a mathematical algorithm to generate a new password based on the previous passwords while a second type is based on time synchronization between the authentication server and the client providing the password. The third type uses a mathematical algorithm, but the new password is based on a challenge and a counter instead of being based on the previous password.

The upside is that by constantly altering the password, the risk of the password being stolen can be greatly reduced. The downside to OTP is that it comes with significant costs to implement; new hardware tokens need to be supplied to consumers, and the financials involved in training consumers can also be steep.

USB PKI with biometrics
For online transactions, banks and credit unions may consider such a hybrid USB and biometric device as a PKI client that consumers can use to authenticate to PKI systems. The consumers can plug in the device to their laptops to access the laptop with biometric data and then authenticate to the PKI system.

The upside is that biometric data needs to be verified before a consumer can authenticate to the PKI system. The downside is that if fingerprint is not scannable, then it is not possible to use USB PKI.

Conclusion
Moving up to three-factor authentication would make it easier for financial institutions to protect consumers against identity theft and fraud by using all of three technology methods mentioned above. Authentication methods using biometrics must be configured with a backup authentication mechanism in case, for example, a fingerprint is not scannable.

About the author:
Judith M. Myerson is a systems architect and engineer. Her areas of interest include middleware technologies, enterprise-wide systems, database technologies, application development, network management, security, information assurance, financial, RFID technologies and project management.

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.