Longer Logins at Online Banks?
Last week, the Federal Financial Institutions Examination Council issued a report recommending that banks tighten up their online-login procedures. The council's guidance says "single-factor authentication" -- where you only need to provide one piece of data, such as a PIN or password, to log in -- is "inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties."
Instead, this report (a PDF file) suggests that a second layer of authentication be employed in these cases.
The report's appendix lists a few interesting possibilities. Banks could ask customers to produce a second bit of information (for instance, by answering a preset question after logging in, or by correctly identifying a previously designed image out of a gallery of other graphics). Customers could be required to plug in a USB token or smart card, or submit to some form of biometric identification (such as a fingerprint scanner).
My guess is that only the first idea -- asking customers to produce some other data that only they would know -- will work in practice. It doesn't require customers to use any other hardware, nor does it add measurably to the login process.
But as my colleague Brian Krebs (for whom I'm filling in today and tomorrow) wrote back in August, banks might do better by simply continuing to make proper use of the protective encryption already built into Web browsers in a way that makes it easier for their customers to know when they're on a legitimate site.
Washington Post consumer technology editor
Posted by: Concerned On-Line Banking Customer | October 19, 2005 2:45 PM | Report abuse
Posted by: Fort Knox | October 19, 2005 3:02 PM | Report abuse
Posted by: KCinDC | October 19, 2005 4:22 PM | Report abuse
Posted by: Andrew | October 19, 2005 4:30 PM | Report abuse
Posted by: The Other Side | October 19, 2005 5:15 PM | Report abuse
Posted by: Dave | October 19, 2005 6:32 PM | Report abuse
Posted by: Tim Finin | October 19, 2005 7:17 PM | Report abuse
Posted by: CCinAnnapolis | October 20, 2005 9:34 AM | Report abuse
Posted by: concerned about ID Theft | October 20, 2005 9:59 AM | Report abuse
Posted by: Barcelona | October 20, 2005 11:53 AM | Report abuse
Posted by: Dave Murrow | October 20, 2005 12:14 PM | Report abuse
Posted by: Frank S. | October 20, 2005 4:24 PM | Report abuse
Posted by: Cleveland, OH | October 27, 2005 7:49 PM | Report abuse
The comments to this entry are closed.