Secure systems usually require a password for entry. A 4-digit PIN or ten-character, letters-and-numbers password is intended to prove your identity to the system.

But recent security attacks show that passwords no longer suffice. A 4-digit PIN isn’t difficult to guess, and keyloggers and phishing scams have proven that passwords alone can be easy to steal. Security professionals now recommend a combination of several authentication methods for system entry.

‘Multi-factor’ authentication methods combine something you are with something you know or have. It’s ideal in situations that require a high degree of certainty of identity, such as access to confidential data or critical infrastructure.

ATM cards are a good example of dual factor authentication. Users must have a card and know a PIN to transact business. Additional authentication factors could be a physical identifier such as a fingerprint or retinal scan.

How does multi-factor authentication work so well? While any single method has drawbacks, a combination of methods reduces the probability of a security breach. Suppose your login requires a password and a physical device. If the password is compromised, the system remains secure because it still requires the physical device for access.

With an increasing number of remotely accessed applications and increasing regulatory concern about information compromises, multi-factor authentication has become far more important for banks. Regulators strongly recommend dual-factor authentication for staff requiring remote system access such as loan originators and system administrators. It has additional uses inside the bank as well.

Some European banks protect their customers’ online banking transactions by intermittently mailing a list of one-time passwords to each user. Each time the user logs in, s/he must enter a PIN and the proper one-time password. After that, the password is invalid.

Phish No More
Dual-factor authentication may be the silver bullet that kills online phishing scams. Because two factors are required for access to the account, a phishing victim can enter his password and still not compromise the account. A physical card, one time password, or SecurID token will complete the authentication — all items that the phisher doesn’t have.

Dual-factor authentication also works on bank PCs and local area networks. By exploiting the dual-factor authentication capabilities built into Windows, your financial institution can easily deploy dual-factor authentication on its local area networks. These systems require each user to provide both a password and a smartcard to gain access to critical services. Again, while it is more cumbersome to provide multiple authentication factors, this sharply reduces the chances of a hacker breaking into your critical systems.

If multiple passwords seem daunting, it’s helpful to know that dual-factor authentication can also unify your authentication infrastructure, increasing your institution’s security and simplifying password management at the same time. This is done by combining dual-factor authentication with single sign-on technologies. Staff members log into the single sign-on application using two authentication methods, then are automatically logged into other services without further sign-ons. The result is fewer passwords and greater operational efficiency.

Teller lines are an increasingly popular use of two-factor authentication. Tellers need to lock their workstations or log off whenever they leave their areas to protect confidential financial data from unauthorized access. This can be done by requiring a smart card to be inserted in the teller workstation at all times while in use. Proximity-based tokens can also validate users standing within a few feet of the workstation.

In conclusion, dual-factor authentication can greatly increase security by providing two proofs of identity instead of one. While dual-factor authentication isn’t a new concept; its use in securing financial computer networks and Internet resources is growing. 

While converting to dual-factor authentication can be a daunting task, consultants are available to help you make the switch. You can also outsource the dual-factor infrastructure to a third party security provider who can handle the authentication mechanisms and manage the distribution of appropriate physical devices, such as smart cards, one-time password lists, or SecurID tokens.