In an industry where millions of bankers move billions of dollars daily, the ability for financial institutions to properly identify who handles these transactions is critical. However, when all it takes to move money is a few keystrokes and a click of the mouse, secure authentication can seem easier said than done.
There’s no denying that network authentication is a critical issue — serious enough for the Federal Financial Institutions Examination Council to set out guidelines in 2005 calling for Internet banking to adopt two-factor authentication by January 2007. That deadline has come and gone, yet many banks are still lagging behind. Why?
Some may be overwhelmed by the multitude of available authentication methods; others may not even know what their alternatives are; while some may simply be the proverbial old dogs wary of learning new tricks.
Still, once the ball starts rolling — when security is a top priority and compliance is a must — financial institutions are often well ahead of other organizations when it comes to deploying solutions to meet the demands of both customers and regulators. One such technology that has gained much traction in recent years is biometrics.
Solutions like fingerprint authentication have been around for a while now, though only recently has the buzz truly begun to build. United Bankers’ Bank of Bloomington, Minn., a correspondent bank in the Ninth Federal Reserve District, was one of the first to roll out a truly extensive biometric deployment starting in 2001 with its initial solution from DigitalPersona, based in Redwood City, Calif.
In all, United Bankers’ Bank has more than 800 bank relationships, 500 checking account banking customers and a total of about 2,500 end-users who require support for secure access to web-based banking transactions. We needed a solution that would guarantee maximum secure authentication only to employees and customers authorized to access confidential account information.
The fallibility of usernames and passwords was a real issue. For it to be effective, a password system must not only require a unique string of letters, numbers and special characters, but must be changed regularly to ensure an adequate level of security. This places a real burden on the thousands of users who often need to memorize several of these passwords for each respective system or application, not to mention an IT staff that is constantly handling password reset requests. Ultimately, when all it takes to compromise the entire network is one user to write his “private” passwords down on a Post-It note, something had to change.
UBB wanted to safeguard account information accessed by employees and our customers. We were concerned that passwords were too weak an authentication method for protecting confidential data accessed online, particularly by member community banks. Users also needed to be authenticated to initiate checking transactions, especially the wiring of money, through correspondent accounts. Another issue was the high volume of support calls from both internal employees and bank-client customers whose passwords had expired or were forgotten
Long before the FFIEC formed its guidance, we saw the writing on the wall. We knew that a multi-factor authentication system was needed to both comply with future regulations and to create a tight policy that ensures secure authentication.
After much research into the various options including smart cards, tokens and biometric technologies, UBB chose DigitalPersona to anchor a multifactor authentication and single sign-on system. In selecting a solution, we looked for a system to fulfill three key criteria: provide a maximum level of protection, be easy to use for both users and administrators and be cost-efficient. Fingerprint authentication met these requirements perfectly and the biometric system quickly became one of the core components in UBB’s security strategy.
UBB integrated DigitalPersona Pro Server with Active Directory to provide single sign-on security control and password management for stations on the network. With the simple touch of a finger, authorized UBB employees automatically log in and are authenticated without having to type in their passwords or account information.
UBB remote customers were also provided secure authentication abilities. Through DigitalPersona Online, bank clients log in and authenticate transactions via a fingerprint instead of a password. UBB now has the assurance that the person who requests a wire transfer, accesses bank statements or performs other confidential activities truly is the person authorized to do so.
On top of the factors already set in place through the DigitalPersona system, we added an additional layer of security by using the unique serial numbers of the actual fingerprint readers to create another form of identification. This gave us multiple factors of authentication years before the FFIEC called for two.
Once the system went live, UBB’s use of fingerprint technology gave us a multi-factor authentication system that was in compliance with FFIEC standards long before the guidance was sent out. By taking the username, fingerprint, sensor ID, and IP characteristics of the users, UBB compliance with security regulations is guaranteed.
The benefits of the biometric authentication solution are clear:
We were able to start seeing the results quickly, as the system was easy to set up: once installed on the network, we estimate it took under three minutes to enroll each employee. The integration process was a snap, as there was no need to rewrite our custom bank applications and we were able to manage the system from a central server using Active Directory.
UBB saw the potential that biometrics offered and we were not disappointed. For any bank still lagging behind or even for those looking to enhance their current systems, it may be best to look the security challenge head-on and give it the finger.
Daren Mehl is the assistant vice president of technology for United Bankers’ Bank in Bloomington, Minnesota.
Copyright © BankNews March 2007.