Consumers Respond Well to Two-Factor Authentication

In spite of doom-and-gloom predictions following the FFIEC’s guidance announcements, financial institutions are able to balance convenience with security

As many U.S. banks and credit unions turn a corner on two-factor authentication deployments precipitated by last year’s Federal Financial Institutions Examination Council (FFIEC) guidance on the matter, they are still finding that they must balance customer satisfaction with customer security.

However, online banking consumers are proving to be far more accepting of strong authentication than industry pessimists predicted—in spite of the fact that most of them are unaware of the new regulation.

A recent consumer banking poll conducted by Javelin Research on behalf of Authentify found that 90 percent of consumers would prefer security over convenience or felt neutral about the choice. Over half of those consumers who do not bank online said that the main concern that kept them from transacting online was security.

More than one in five of these consumers were completely unaware of the FFIEC guidance or any requirements for banks to move away from the insecure username and password model, which means that they welcome changes without their banks even having to use the regulations as an ‘excuse’ for the inconvenience.

FFIEC and the Consumer

These numbers vindicate the early adopters of two-factor authentication who started making their deployment plans well before the FFIEC entered the scene. Prior to the agency’s October 2005 declaration that it would force banks to improve authentication practices, consumer outcry over online fraud was only beginning to bubble to the surface. And bank executives worried that strong authentication would detract from one of online banking’s biggest selling points, convenience. In spite of this, there were some such as Zions Bank that decided to move forward before the prod from FFIEC because it was the “right thing to do.”

“It’s like going to an amusement park and you go on a ride that shoots you 300 feet in the air, and we don’t strap you in or give you any restraints because we want you to have the full value of the ride,” says Lee Carter, president of online banking for Zions. “I look at online banking and say, no, we’re gonna strap you in with some strong authentication because it’s for your own good and if you grumble, we’re still keeping you safe. We still strap you in and inconvenience you whether you want us to or not.”

Most analysts agree, however, that those such as Carter were in the minority with their convictions. He said that it would have taken many more years for the conservative financial community to migrate to strong authentication without an arm twist from the regulators.

“Some of the large banks were looking at doing some kind of stronger authentication (before the guidance) but it would be a more the exception than the norm to offer strong authentication unless that guidance came out,” says George Tubin, research director for TowerGroup’s financial information security research service. “Banks generally don’t like to make drastic changes with how consumers interface with them. Any time you do anything, it creates confusion and somebody’s not going to like it unless you’re making a drastic improvement in how to interact that’s making it easier. Whenever you do something that causes somebody to go through more steps or interact with you differently, it creates problems so a lot of banks were fairly nervous about that.”

Stories from the Trenches

This convenience factor was definitely the major concern at Parda Federal Credit Union, says Parda’s CIO Melissa Auchter.

“With a single password, we get a lot of phone calls with people forgetting their passwords. So I couldn’t imagine having a password and then a secret phrase or another password or having them remember several things,” says Auchter, who explains that her company installed a strong-authentication solution from BioPassword in response to the FFIEC guidance. “Consumers want to be protected, they expect you to protect them, but they don’t want to be inconvenienced. So our focus was on how to make this easy on our membership.”

Her choice of vendor had largely to do with the fact that their solution required no extra input from the user beyond an initial reenrollment. Carter says that he was in the same boat as Auchter when choosing a solution for ease of use.

“We found out very early on from some research that we did and some that was shared with us that clients didn’t want to carry a hard token around with them,” he says. “They wanted to have something that was portable, something that they could easily use. We wanted also to have a platform system that was flexible enough to allow us to layer on additional security measures in the future for wire transactions, high dollar volume transfers and that type of thing.”

Any good IT person knows that after a deployment they’ll always get more complaints than compliments, he says.

“You know you have a good solution when it’s been very quiet,” he says. “When you don’t hear much from your clients, you know it’s a good option.”

He says that the complaints have been minimal with even a small number of clients giving positive feedback on the system.

“Acceptance has been very good,” he says. “We’ve had a lot of clients who’ve called saying, ‘We like it – we’re glad you did it – we feel more secure’”

Similarly, after reenrolling its membership with the new solution, Auchter only received six negative responses. After a few months, however, she was able to even roll that back to five. “I had one of them send me a message back saying ‘I guess you did the right thing after all,’” she says.

Carter believes that this kind of acceptance is a thumb to the nose of those who said that extra authentication measures would ruin online banking. In fact, it has done the reverse for his organization.

“We’ve actually seen the opposite trend,” he says. “We’ve seen some folks come back to the channel because now they feel more secure in transacting business with us. It’s been a real benefit for us. I don’t think we lost any clients. We’d actually gained some back who’d abandoned the channel because of security issues.”

Rising Tide

Even though banking customers may not always get back to their institution’s technology department to deliver a pat on the back, surveys such as the Javelin study show that they are increasingly paying attention to security practices.

The banking industry is at a pivotal moment when it comes to authentication. While most institutions have gone through their risk assessments, many of these are still in the process of planning and executing actual deployment of two-factor authentication solutions. If they are able to balance consumer convenience with security and successfully communicate the changes with their customers, they just might have the opportunity to make not only improve the security of online banking, but of all online retail as a whole.

As consumers start to see that banks are using stronger authentication, they’ll start to expect this of other providers,” Tubin says. “So, when you go into PayPal or some other e-commerce sites and they don’t see any type of stronger authentication there, consumers may start to worry. So it will certainly start to drive that sort of mindset.”

Recent Statistics On Authentication and Consumers

  • Less than half of consumers listed “Loss of funds” as their key concern should their bank account be stolen
  • Beyond username and password, 48 percent of consumers prefer risk-based authentication
  • More than 65 percent of consumers access multiple financial institution accounts online
  • Approximately 16 percent of surveyed consumers chose not to bank online due to security concerns
Source: Javelin Strategy and Research

About the Author

Ericka Chickowski

Ericka Chickowski

Contributing Writer, ISMG

Ericka Chickowski is an experienced business and technology journalist who focuses on information security. Formerly the West Coast Bureau Chief for SC Magazine, her work has appeared in several dozen publications, including the Seattle Post Intelligencer, San Diego Business Journal, Puget Sound Business Journal and Processor.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.