Banks to bring in two-factor authentication

UK banks are planning to introduce two-factor authentication for business customers using online banking services by the end of...

UK banks are planning to introduce two-factor authentication for business customers using online banking services by the end of the year, banking industry trade body Apacs said last week.

The move, which is likely to be followed by the wider roll-out of two-factor authentication for consumers using online banking services, is part of the banks' fight against phishing - criminals using spoof e-mails to obtain people's passwords and account details - which they fear is eroding confidence in online banking.

Apacs is co-ordinating the development of technical standards for two-factor authentication, based on security standards developed by Visa and MasterCard. But it will leave it to each bank to decide how they deploy the technology.

"We are not looking at any requirements of timescales or co-ordinated roll-out," said Tom Salmond, e-commerce consultant at Apacs. "Each bank is looking at applicable time schedules and applicable customer segments.

"Small business customers are likely to be the first. The first deployment is likely by the end of the year."

UK banks are developing technical standards to offer two-factor authentication using a combination of chip and Pin cards and readers to generate one-time passwords.

Other security technologiesare also under consideration, including a challenge response mechanism that would require the bank to e-mail the customer a number to type into a card reader to generate a one-time password.

Another option is a data signing function, which would require the customer to confirm the account number and the amount of money to be transferred when moving money between accounts.

The additional security measures are designed to prevent "man-in-the-middle" attacks, in which a hacker intercepts a one-time password and then uses it to access a customer's online bank account.

"The aim is to define which elements of the MasterCard and Visa authentication standards are most applicable in the UK," said Salmond. "Several different options are being reviewed."

Apacs said it expects to complete the technical specifications for the authentication system by early May. Banks are likely to pilot the technology during the summer.

Read more on IT for small and medium-sized enterprises (SME)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.