Bank of America moves to two-factor authentication

Bank of America moves to two-factor authentication

Bank of America is working with digital security firm VeriSign to introduce strong two-factor authentication across its network.

The west coast bank is to use the VeriSign Unified Authentication platform to issue tokens for secure communications and transactions across the enterprise. The first tokens will be used for internal applications and corporate clients with particular security requirements.

The VeriSign platform provides a mechanism for managing all types of two-factor authentication credentials, including tokens and smartcards, and is designed to sit within an organisation's existing directory and identity management architecture.

Rhonda MacLean, corporate information security executive at Bank of America, says VeriSign's commitment to open standards was key to the deal, giving the bank the flexibility to keep improving security in the future.

"The financial services industry is moving quickly towards strong authentication," says MacLean. "Strong, two-factor authentication will clearly be an increasingly important component of our security strategy, and we believe open standards will create the co-operation and strong partnerships we need to protect our networks and information today - and tomorrow."

Bank of America is currently embroiled in a legal challenge from a Miami businessman over $90,000 he says was stolen from his online banking account by Latvian cybercriminals. He says the thieves authorised a wire transfer out of his account using access credentials sniffed out by a Trojan keylogging device on his infected PC.

The case highlights growing consumer concerns over the security of online business. A recent consumer study conducted by RSA Security found that 53% of respondents have little faith in traditional user ID/password security schemes. In fact, 21% of respondents refused to conduct business online with their financial institutions due to security fears.

RSA released the results as it announced plans to introduce a pilot consumer authentication service in the second half of 2005 that it will run on behalf of enterprise clients. Initially, the service will support various form factors for RSA's one-time password (OTP) technology, such as SecurID tokens and smart cards. The vendor - which pre-announced the initiative in an effort to pick up on US bank interest in two-factor authentication - has yet to explain how the service will interoperate with competing managed service offerings.

In December, The Federal Deposit Insurance Corporation urged US banks to abandon single password-based ID systems in favour of two-factor authentication following a sharp rise in 'account hijacking' ID theft.

Comments: (0)