The Move Toward Multifactor Authentication

For extra protection, companies are using two or more security methods for authenticating a user's identity.

John Edwards

Like the man who wears both a belt and suspenders, the owners of Web sites and applications protected by multifactor authentication are looking to reduce the possibility of accidental exposure. Multifactor authentication combines two or more different security methods for authenticating a user's identity.

The first method usually requires a "what-you-know" response from the person seeking access. This is typically a password, but it can also be the answer to a challenge question such as, "What is your mother's maiden name?" This technique is known as knowledge-based authentication.

The second method is usually based on something a user has in his or her possession. This object is usually a physical device, such as a smart card with a built-in chip or a hardware token that generates one-use-only passwords. Other personally possessed types of items could be a biometricasset, such as a fingerprint or the eye's iris.

Banks Lead the Charge

Multifactor authentication's fundamental goal is to enhance security by making it more difficult for fraudsters to obtain system access. Attack-proof security is a concern shared by many businesses, yet due to the large amounts of money they handle, banks and other financial institutions are at the forefront of the drive toward multifactor authentication. In the United States, the APACS (Association of Payment and Clearing Systems), the FDIC (Federal Deposit Insurance Corp.) and a variety of other banking organizations have all urged banks to begin offering multifactor authentication.

Many banks also view multifactor authentication as a way of enhancing customer confidence. A study conducted earlier this year by Javelin Strategy & Research revealed that 67 percent of consumers in the United States do not bank online for fear of having their identity stolen. Fifty-three percent of those surveyed would like to see banks offer identity-protection software, and 33 percent would like their bank to offer biometrics. The study shows that banks stand to realize a gain of $8.3 billion per year through customer adoption and increased loyalty by making identity-protection software available to their customers.

Many retailers would also like to see increased adoption of multifactor authentication for Web-based sales. Unfortunately, few American Web shoppers have the smart cards, hardware tokens or biometric readers required for such transactions. European shoppers, on the other hand, are ahead of their American counterparts on the multifactor-authentication adoption curve. Multifactor use is on the upswing in Europe, with a growing number of retailers adopting some form of the technology.

Europeans may be more accepting of multifactor authentication due to their experience with the related technology when shopping in brick-and-mortar stores. Until relatively recently, European retail shops didn't have easy access to cheap data lines for online verification of credit card transactions. This forced European retailers to pressure financial institutions to adopt some type of offline multifactor solution, such as a device that a retail clerk could use to scan a smart card-generated code, then compare it with the PIN entered by the consumer. Given this track record, it was more natural for Europeans to adopt multifactor authentication for consumer Web applications as well.

Market Drivers

In the U.S., many online bankers and retailers continue to hope that they will be able to perform authentication without issuing consumers extra hardware or software, such as by using monitoring systems to observe customer behavior and detect any anomalies. Most of these organizations want to focus on their core business and would prefer not to involve themselves in the cost and complexity of technology support. This mind-set has slowed the deployment of multifactor authentication in the United States, except perhaps for certain niche applications, such as high-end investing and corporate cash management.

Still, the prejudice against multifactor authentication may ease in the years ahead, as credit card issuers and financial regulators press their business partners to tighten security. In a 2007 study, financial industry research firm The TowerGroup Inc. reported that online banking is becoming the most powerful tool retail banks have ever deployed, outpacing everything from ATMs to call centers, and is increasing in use at an annual rate of 27 percent. With Web shopping growth also skyrocketing, it seems inevitable that more banks and retailers will eventually embrace enhanced security technologies, with multifactor authentication standing at the front of the line of potential solutions.