By the end of 2006, you won't be able to log on to your bank's site with just a username and password.
Banks are required to implement two-level (or two-factor) authentication, meaning that not only will you have to supply a username and password, but you also will have to use a second method as well.
Phishing has become so prevalent that banks must take additional precautions to avoid losses. Unsuspecting Internet users are being fooled into providing their login information by spam emails sent by scammers which appear to be from the financial institution itself.
There are three basic ways of identifying a legitimate user; something they know, something they have, and something they are. Two-factor authentication means that two different types must be used to allow logins.
The category of something they know covers things like passwords, and answering questions that only the account holder would likely know like place of birth and the ever-popular first pet's name, among others.
Something they have could include a device that must be attached to a PC, or a device which generates different single-use passwords.
Something they are could mean a fingerprint or retinal scan.
Requiring the use of two different methods is expected to greatly reduce the effectiveness of phishing. People may still fall into the trap of giving their login and password, but the phisher cannot make use of it if he/she lacks the secondary method the bank requires.
There are a number of different methods that will satisfy the new requirement:
- Card readers which generate a password when a card is swiped
- Tokens, which can plug into a USB port
- Password generators that create one-time use passwords
- Fingerprint or retinal scanner
- Scratch-off cards that have a series of one-time use passwords
The bank gets to choose the method that will be used.
This could be a significant annoyance to people with multiple bank accounts, since all banks they use may not use the same secondary method.
In a worst case scenario, you could need a number of different devices to access all of your bank accounts online.
The new rules are being established by the Federal Financial Institutions Examination Council. The full text of their report can be found at http://www.ffiec.gov/pdf/authentication_guidance.pdf