Two factor authentication gets token agnostic at Central Bank of India

Central Bank of India plans to deploy token agnostic two factor authentication solution for internal, as well as external customers.

Central Bank of India, one of the leading public sectors banks in India, has ambitious projects lined up on the information security front. One of the first initiatives on this front has been the bank's inauguration of its independent information security department in May 2009. Central Bank of India plans to deploy a two factor authentication solution in 2010. Dr. Onkar Nath, the chief information security officer of Central Bank of India claims that the bank will be first in India to implement two factor authentications for external as well as internal customers. 

More stories on two factor authentication
Two factor authentication thwarts identity theft at Bank of India

Challenges of two-factor authentication

Considering two-factor authentication? Do cost, risk analysis

Banking on multifactor authentication

At the moment, Central Bank of India is busy with a proof of concept project of two factor authentication. It aims to start the implementation process by end April 2010. The bank has already evaluated various solutions, and decided to handover the entire two factor authentication implementation to TCS. According to Nath, Central Bank of India will use different vendors for two factor authentication and token solutions. These vendors will be chosen by the implementation partner.

Central Bank of India plans to use a token agnostic two factor authentication solution for reasons of flexibility. "When I mention token agnostic, I'm referring to two factor authentication mechanisms using any type of token. The one time password (OTP) can be sent to customer on his cell phone, browser or even a fax machine. So in this case, browser or cell phone becomes the soft token, and fax machine becomes the hard token," explains Nath.

Two factor authentication token will be selected based on the internal and external customer's risk profile. Risk metrics for all kinds of customers will be developed before implementation of the solution. Risk profiling will be undertaken by the bank. If the customer's (whether internal or external) risk profile is of low sensitivity, he will be given a soft token like the use of cell phone or browser. In case of customers with high levels of sensitivity, the authentication will be performed using a hard token.

Although Central Bank of India is still working on the entire configuration of its two factor authentication solution, it aims to frame time sensitive one time passwords (OTP). "So if OTP is configured for a five minute timeframe, it has to be used within that time," says Nath.

For mobile banking, Central Bank of India has developed a separate grid-based authentication method. A grid is provided to customers on the back of their debit card. The bank has implemented this solution for internal employees, and plans to extend it soon to external customers.    

On the need of two factor authentication for internal customers, Nath explains that increasing number of threats are now coming from internal customers. "Besides, it's not a costly preposition, since you anyways set up authentication and hardware security module (HSM) servers for external customer. The cost of a token  goes up to hardly Rs 80 for low end tokens," informs Nath. Nath declines to reveal the entire project's cost.

Read more on Identity and access management products