Getting stronger

Last October, an obscure government body called the Federal Financial Institutions Examination Council (FFIEC) issued a security guideline that banks are treating as a mandate. Starting in January 2007, financial institutions must provide consumers of online financial services the same protection enjoyed by customers using a debit card to buy groceries or gas: strong authentication.

Strong means two or more types of identity verification in return for access. At the grocery store or gas station (or, for that matter, the ATM), those two factors are usually a plastic card and a pass code. Online banking, on the other hand, still primarily works with "weak" single-factor authentication: a password.

Strong authentication is meant to take a McGruffian bite out of online crime. And, on the surface, it appears that forcing banks to add a second factor of authentication (such as a fingerprint or a smart card) to a password could improve the deteriorating state of online security. But experts say it's not a slam dunk that a second factor would significantly reduce emerging risks. According to security guru Bruce Schneier, "Two-factor authentication will force criminals to modify their tactics, that's all."

The timing of the requirement has little to do with recent consumer outrage over identity theft. Michael Jackson, chairman of the FFIEC IT subcommittee that drafted the directive, says the organization decided that authentication technology was finally good enough to make a de facto mandate realistic.

Most banks expected this; some were planning two-factor authentication initiatives anyway. Nevertheless, complying with the FFIEC's order may place a significant burden on all but the largest banks.

"To compete, we have to give away Internet banking for free and online bill-paying for free," says Gerald Rome, director of IT at First American Bank & Trust in Vacherie, La. "You can't add this and keep doing everything for free."