US Bancorp teams up with VeriSign on banking security

US Bancorp will use a hardware-token based authentication service from VeriSign to secure access to commercial banking services...

US Bancorp will use a hardware-token based authentication service from VeriSign to secure access to commercial banking services for its customers.

The bank will use VeriSign's Unified Authentication service to validate and secure interactions with commercial banking customers, providing them with a secure USB token that they must use when accessing services online.

The deal is just the latest evidence of renewed interest in so-called "multifactor" authentication within the banking industry, which is struggling with an epidemic of sophisticated online identity theft scams, according to Judy Lin, executive vice-president for VeriSign's security services.

As part of the programme, US Bancorp will make VeriSign security tokens available to more than 10,000 commercial banking customers. Those tokens will hold a digital certificate that identifies the bearer and will need to be inserted into machines before accessing web-based commercial banking applications, Lin said.

The Unified Authentication service combines VeriSign-branded eToken USB authentication devices from Aladdin Knowledge Systems with a managed validation service that runs on VeriSign's infrastructure.

It also includes software modules that plug into a bank's existing back-end infrastructure. Banks can also choose to operate their own validation server as part of the service, Lin said.

At US Bancorp, the authentication service will be integrated with existing user directory and identity management technology, validating interactions between the bank and its customers. A server operated by VeriSign will handle token validation, but no customer information will leave US Bancorp's network in the process, she said.

VeriSign launched the Unified Authentication service in September as an extension of its Intelligence and ControlSM Services, which offer businesses network security information and tools.

User login and permission information resides in the customer's user directory, but is linked to a unique serial number for a secure token or other authentication device stored on a VeriSign server. Login requests by users will be passed to the VeriSign server, where a stored algorithm will validate that the serial number of the secure token or the one-time password is valid for the user requesting access, VeriSign said.

US Bancorp  is the eighth largest bank in the US.

The bank is looking into a similar programme for its consumer banking customers, although such a service would likely forgo use of USB hardware tokens, which can cost $20 or more each. Instead, inexpensive solutions such as plastic cards with lists of single-use passwords could be employed, she said. 

Paul Roberts writes for IDG News Service

Read more on IT strategy