Friday, March 16, 2007

Comparing enhanced authentication options for multiple online banking sites

Part 1 of 2. Part 2 Here

The end of 2006 brought us the deadline for banking sites to implement enhanced authentication per FFIEC guidance. Recently I've started noticing obvious implementations on a number of different financial websites I use. I don't use enough online banks to compare them all, so maybe this will start a discussion of the quality of implementation for several of the implementations.


I logged into my Chase account the other day from a computer I don't ordinarily use. After putting in my proper username and password I was presented with a new page that said I was using a computer I hadn't used before, and that I'd need to confirm my identity using an out of band means. I was presented with the options of:
  • Having a security code sent to my mobile phone via SMS
  • Having an automated call placed to my home or mobile number (both already registered on their site) where I would hear a recording of a security code
  • Having an authentication code emailed to me
Chase is obviously employing some form of machine identifier or at least IP address checking. Looks like they only turned it on recently as I had been using multiple computers without issues until the other day.

I chose to have Chase SMS me the authentication code. Their website helpfully told me that I could expect to receive the code within 2 minutes. I presume they could backlog on the dialout system so want to give you some idea on an SLA for receiving the code, before you try again.

About 20 seconds went by and I got an SMS to my mobile phone. The message contained an 8-digit security code, and after entering it into the simple web-form on Chase's website I was able to access my account. Subsequent access from the same machine has been trouble free.


Starting about a month or so ago I started receiving prompts when logging into my Citibank account that I would need to set up some special security questions, etc. in order to have continued access.

After ignoring the prompts for a few logins, I was finally forced to choose a number of secret questions to answer.

So far I've added a bank account for automated payments, and I've scheduled a payment. In no cases have I been prompted for any extra authentication. The FFIEC guidance allows banks to determine what transactions are "high risk" and consequently to only employ enhanced authentication in those cases. Perhaps I haven't triggered any of the high security items yet on the Citibank site.

Wells Fargo

I have a regular bank account with Wells Fargo. So far I don't think I've had to set up any extra secret questions. I also haven't been challenged for any special authentication when logging in from different machines. I haven't tried to pay any bills yet though, and certainly nothing with a large dollar value. Perhaps I just haven't tripped their triggers yet.


Pretty much the same thing as for Wells Fargo.

If you're using an online bank and have had experience with any of the new enhanced authentication schemes please let me know. it would be good to catalog what different folks are doing.

And, if I get a chance I'll investigate how Chase is doing their machine-id system to see how robust it is.

No comments: