Pros and cons of multifactor authentication technology for consumers

Multifactor authentication is achieved by combining two or three independent credentials to identify a user: what you know, what you have and what you are. A single authentication based on what you know is not enough to protect the user.

There are several types of multifactor consumer authentication technology from which to choose. This tip will briefly touch on the various flavors of the technology, the pros and cons of each and how to know which type is right for your financial services organization.

What to consider
Consider the following multifactor authentication schemes:

• Fingerprint on smart card
• Biometrics for secure mobile phones
• One-time password (OTP)
• USB PKI with biometrics

Fingerprint on smart card
One way of better securing the smart cards if lost or stolen is to add the customer's fingerprint to them. The upside of the technology is that the fingerprint is difficult to duplicate. No fingerprints of each individual are exactly alike.

The downside is that although a fingerprint-based system is the most common form of biometrics, it is not 100% reliable. There are a few instances where fingerprints are difficult to scan (e.g., genetic defect) The system is frequently configured with a backup authentication mechanism -- such as a PIN or password -- that can be entered in the event that the bank can't get a good scan. This additional feature, however, may raise the costs of financial services for consumers.

All financial institutions must comply with the IASC X9.84 Biometric Information Management & Security for the Financial Services Industry on securing biometric information. Banks should consider storing customers' fingerprints on a smart card for use with the ATM machines.

Biometrics for secure mobile phones
With biometrics on the mobile phones, consumers can securely view their account balances, pay bills and transfer money using mobile applications. Users have a choice of swiping their fingerprints on a scannable area on the phone or a scanning device connected to the phone. This feature differs from the way a fingerprint is stored on a smart card in that the ATM machine is used to verify that the fingerprint is indeed the owner's.

The upside is it is more convenient for the customer to use the mobile phone tied to biometric data while he or she is on the raod. The downside is that it is a bit inconvenient to plug in a scannable device to the mobile phone or clean periodically the scannable area on the phone.

Banks, credit unions and investment securities firms should consider tying a secure mobile phone with biometric data to a person to help prevent a thief from accessing financial applications posing as the phone's rightful owner.

For more on authentication Out-of-band authentication can add another layer of data security as customers seek enhanced online banking security. Learn how. Expert Joel Dubin explains how the challenge of implementing global authentication policies can be alleviated.

One-time password
For financial services consumers, a OTP will make it more difficult for a thief to gain unauthorized access to their online accounts -- by altering the password after each use. The first type of OTP uses a mathematical algorithm to generate a new password based on the previous passwords while a second type is based on time synchronization between the authentication server and the client providing the password. The third type uses a mathematical algorithm, but the new password is based on a challenge and a counter instead of being based on the previous password.

The upside is that by constantly altering the password, the risk of the password being stolen can be greatly reduced. The downside to OTP is that it comes with significant costs to implement; new hardware tokens need to be supplied to consumers, and the financials involved in training consumers can also be steep.

USB PKI with biometrics
For online transactions, banks and credit unions may consider such a hybrid USB and biometric device as a PKI client that consumers can use to authenticate to PKI systems. The consumers can plug in the device to their laptops to access the laptop with biometric data and then authenticate to the PKI system.

The upside is that biometric data needs to be verified before a consumer can authenticate to the PKI system. The downside is that if fingerprint is not scannable, then it is not possible to use USB PKI.

Conclusion
Moving up to three-factor authentication would make it easier for financial institutions to protect consumers against identity theft and fraud by using all of three technology methods mentioned above. Authentication methods using biometrics must be configured with a backup authentication mechanism in case, for example, a fingerprint is not scannable.

About the author:
Judith M. Myerson is a systems architect and engineer. Her areas of interest include middleware technologies, enterprise-wide systems, database technologies, application development, network management, security, information assurance, financial, RFID technologies and project management.

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Security Architecture Insider How to easily integrate managed email security services Integrating firewalls into your financial enterprise systems Steps to secure your remote users How to integrate network behavior anomaly detection into enterprise systems Establishing a practical routine for reviewing security logs How to get the most out of a SIM Security information management finally arrives, thanks to enhanced features Best practices in managing privileged access Integrating biometric authentication with Active Directory Entitlement management systems alleviate access control pain points Secure user and consumer authentication Integrating biometric authentication with Active Directory Biometrics: Taking authentication to the next level Financial Information Security Decisions 2008: Presentation downloads Can email fraud be reduced by sending full statements, PKI technologies? Keystroke recognition aids online authentication at credit union Survey discovers access control problems at many firms A security tale: From vulnerability discovery to disaster Lawsuit could amplify data protection laws Fewer conducting financial transactions online for fear of ID theft Banks scramble to boost online security Authentication methods for financial services Privileged password management steps to success The evolving value proposition and impact of identity management Best practices in managing privileged access Entitlement management systems alleviate access control pain points Password management best practices for financial services firms Financial Information Security Decisions 2008: Presentation downloads Can email fraud be reduced by sending full statements, PKI technologies? Global authentication policies made easy Keystroke recognition aids online authentication at credit union Survey discovers access control problems at many firms RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary mutual authentication  (SearchFinancialSecurity.com) Real ID  (SearchFinancialSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.