Number-One E-Banker BofA Adopts Two-Factor Authentication

The cause of strong authentication for Web-based transactions took a major step forward today with the announcement from banking giant Bank of America Corp. that it is implementing a two-factor authentication system for its online banking service. With 13.2 million users, including 6.4 million bill payers, BofA's service is the largest online banking program in the country. The Charlotte, N.C.-based banking company said it will begin offering the authentication service, which it is calling SiteKey and is being provided by PassMark Security LLC, in the middle of next month in Tennessee. It expects to roll out SiteKey to the rest of the country by year's end. “This is a major event in the 10-year history of the online authentication business, at a watershed point for the industry,” says Steve Mott, a Stamford, Conn.-based electronic-payments consultant who follows authentication technology. The bank's move, coming as it does in the wake of a major upsurge in online frauds such as phishing and pharming, leads some observers to expect other large banks to adopt similar technology. It also indicates operators of e-commerce sites may be willing to make significant investments in newer, more secure security systems to protect online transactions. “BofA is getting off the defensive, and I'd expect several major banks to follow suit shortly with some kind of similar response,” says Mott. Today's announcement also represents a big sale for PassMark Security, a year-old, Redwood City, Calif.-based company that only three months ago signed its first client, Palo Alto, Calif.-based Stanford Federal Credit Union (Digital Transactions News, June 1, 2004 and Feb. 3, 2005). PassMark's technology relies on so-called two-factor authentication, adding a second factor such as a picture or “challenge question” to the standard single factor, typically a password. It also involves a two-way authentication, with the Web site proving itself genuine to the user at the same time it certifies the user's identity. Upon enrollment, users select a photo, a bit of text, and a few challenge questions, which can be used when they are not using their personal computers. Logging in, users enter their passwords only when presented with the photo and phrase. This helps guard against spoofed sites, which have become increasingly sophisticated in mimicking the logos and other graphics of genuine e-commerce sites. Site operators can also use the pictures and phrases when sending e-mails to customers. Meanwhile, the site verifies the user by checking his device ID and IP address and matching these data to a transaction history. While BofA did not release information on the cost of SiteKey, PassMark has said generally that e-commerce sites can license its software for anywhere from 10 cents to $1 per user, depending on the number of images stored. Site operators can install the system as a hardware appliance or use a hosted service from PassMark. In phishing schemes, criminals use e-mail blasts to gull consumers into visiting fake sites and giving up confidential information, such as PINs, that can be used to commit identity fraud or to loot their accounts. In pharming frauds, consumers are automatically redirected to the fake sites even when they enter the URL themselves, usually through DNS hijacking. The number of sites engaged in phishing reached 2,870 in March, up from 1,755 in December, according to the Anti-Phishing Working Group, an organization of software firms, payment companies, and law-enforcement agencies that tracks the fraud (Digital Transactions News, May 3).