The Move Toward Multifactor Authentication

Updated: April 30, 2009

Like the man who wears both a belt and suspenders, the owners of Web sites and applications protected by multifactor authentication are looking to reduce the possibility of accidental exposure. Multifactor authentication combines two or more different security methods for authenticating a user's identity.

The first method usually requires a "what-you-know" response from the person seeking access. This is typically a password, but it can also be the answer to a challenge question such as, "What is your mother's maiden name?" This technique is known as knowledge-based authentication.

The second method is usually based on something a user has in his or her possession. This object is usually a physical device, such as a smart card with a built-in chip or a hardware token that generates one-use-only passwords. Other personally possessed types of items could be a biometric asset, such as a fingerprint or the eye's iris.

Banks Lead the Charge

Multifactor authentication's fundamental goal is to enhance security by making it more difficult for fraudsters to obtain system access. Attack-proof security is a concern shared by many businesses, yet due to the large amounts of money they handle, banks and other financial institutions are at the forefront of the drive toward multifactor authentication. In the United States, the APACS (Association of Payment and Clearing Systems), the FDIC (Federal Deposit Insurance Corp.) and a variety of other banking organizations have all urged banks to begin offering multifactor authentication.

Many banks also view multifactor authentication as a way of enhancing customer confidence. A study conducted earlier this year by Javelin Strategy & Research revealed that 67 percent of consumers in the United States do not bank online for fear of having their identity stolen. Fifty-three percent of those surveyed would like to see banks offer identity-protection software, and 33 percent would like their bank to offer biometrics. The study shows that banks stand to realize a gain of $8.3 billion per year through customer adoption and increased loyalty by making identity-protection software available to their customers.

Many retailers would also like to see increased adoption of multifactor authentication for Web-based sales. Unfortunately, few American Web shoppers have the smart cards, hardware tokens or biometric readers required for such transactions. European shoppers, on the other hand, are ahead of their American counterparts on the multifactor-authentication adoption curve. Multifactor use is on the upswing in Europe, with a growing number of retailers adopting some form of the technology.

Europeans may be more accepting of multifactor authentication due to their experience with the related technology when shopping in brick-and-mortar stores. Until relatively recently, European retail shops didn't have easy access to cheap data lines for online verification of credit card transactions. This forced European retailers to pressure financial institutions to adopt some type of offline multifactor solution, such as a device that a retail clerk could use to scan a smart card-generated code, then compare it with the PIN entered by the consumer. Given this track record, it was more natural for Europeans to adopt multifactor authentication for consumer Web applications as well.

Market Drivers

In the U.S., many online bankers and retailers continue to hope that they will be able to perform authentication without issuing consumers extra hardware or software, such as by using monitoring systems to observe customer behavior and detect any anomalies. Most of these organizations want to focus on their core business and would prefer not to involve themselves in the cost and complexity of technology support. This mind-set has slowed the deployment of multifactor authentication in the United States, except perhaps for certain niche applications, such as high-end investing and corporate cash management.

Still, the prejudice against multifactor authentication may ease in the years ahead, as credit card issuers and financial regulators press their business partners to tighten security. In a 2007 study, financial industry research firm The TowerGroup Inc. reported that online banking is becoming the most powerful tool retail banks have ever deployed, outpacing everything from ATMs to call centers , and is increasing in use at an annual rate of 27 percent. With Web shopping growth also skyrocketing, it seems inevitable that more banks and retailers will eventually embrace enhanced security technologies, with multifactor authentication standing at the front of the line of potential solutions.

Readers interested in seeing multifactor authentication in action need look no further than PayPal .

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more