The Bank of America is to introduce two-factor, two-way authentication to around 13 million online banking customers...
in an attempt to reduce the threat of phishing attacks and identity theft.
Unlike traditional two-factor authentication, the Bank of America's Sitekey approach does not rely on expensive hardware tokens to generate passwords.
Instead it uses a customer's PC or handheld device as the second-factor hardware device. Technology from security company Passmark takes a "fingerprint" of a customer's computer to verify identification, using HHTP headers, software configurations, hardware settings, IP address and geographic location.
Customers registering for the service choose a picture, write a short phrase and pose three challenge questions to help authenticate the bank to them. When they come to use the service, they enter a log-in name and see the picture and their phrase, confirming it is the bona fide banking site. The customer then enters a password to use the service.
This combined approach is designed to protect against phishing attacks that con users into entering log-in details into spoof online banking sites, which hackers later use to access their accounts.
If the user should try to log into the system from another PC, the Bank of America service will seek answers to the three challenge questions created at registration. The bank argues that this will stop hackers accessing the system, even if they have the password and log-in details.
George Tubin, senior analyst with TowerGroup, said the technology could significantly boost confidence in online banking. "Implementing two-way, two-factor authentication without hardware is a significant step for online banking, particularly when taken by a leading player. This approach is consumer-friendly and makes it possible for the bank to scale rapidly and take it to the whole client base."
The UK banks are planning to introduce two-factor authentication for business customers using online banking services by the end of the year, banking industry trade body Apacs said earlier this month. It is co-ordinating the development of technical standards for a system based on chip and PIN smartcards and a reader that generates a one-time password.