Consumers Respond Well to Two-Factor Authentication
In spite of doom-and-gloom predictions following the FFIECâ€™s guidance announcements, financial institutions are able to balance convenience with security
As many U.S. banks and credit unions turn a corner on two-factor authentication deployments precipitated by last yearâ€™s Federal Financial Institutions Examination Council (FFIEC) guidance on the matter, they are still finding that they must balance customer satisfaction with customer security.
However, online banking consumers are proving to be far more accepting of strong authentication than industry pessimists predictedâ€”in spite of the fact that most of them are unaware of the new regulation.
A recent consumer banking poll conducted by Javelin Research on behalf of Authentify found that 90 percent of consumers would prefer security over convenience or felt neutral about the choice. Over half of those consumers who do not bank online said that the main concern that kept them from transacting online was security.
More than one in five of these consumers were completely unaware of the FFIEC guidance or any requirements for banks to move away from the insecure username and password model, which means that they welcome changes without their banks even having to use the regulations as an â€˜excuseâ€™ for the inconvenience.
FFIEC and the Consumer
These numbers vindicate the early adopters of two-factor authentication who started making their deployment plans well before the FFIEC entered the scene. Prior to the agencyâ€™s October 2005 declaration that it would force banks to improve authentication practices, consumer outcry over online fraud was only beginning to bubble to the surface. And bank executives worried that strong authentication would detract from one of online bankingâ€™s biggest selling points, convenience. In spite of this, there were some such as Zions Bank that decided to move forward before the prod from FFIEC because it was the â€œright thing to do.â€
â€œItâ€™s like going to an amusement park and you go on a ride that shoots you 300 feet in the air, and we donâ€™t strap you in or give you any restraints because we want you to have the full value of the ride,â€ says Lee Carter, president of online banking for Zions. â€œI look at online banking and say, no, weâ€™re gonna strap you in with some strong authentication because itâ€™s for your own good and if you grumble, weâ€™re still keeping you safe. We still strap you in and inconvenience you whether you want us to or not.â€
Most analysts agree, however, that those such as Carter were in the minority with their convictions. He said that it would have taken many more years for the conservative financial community to migrate to strong authentication without an arm twist from the regulators.
â€œSome of the large banks were looking at doing some kind of stronger authentication (before the guidance) but it would be a more the exception than the norm to offer strong authentication unless that guidance came out,â€ says George Tubin, research director for TowerGroupâ€™s financial information security research service. â€œBanks generally donâ€™t like to make drastic changes with how consumers interface with them. Any time you do anything, it creates confusion and somebodyâ€™s not going to like it unless youâ€™re making a drastic improvement in how to interact thatâ€™s making it easier. Whenever you do something that causes somebody to go through more steps or interact with you differently, it creates problems so a lot of banks were fairly nervous about that.â€
Stories from the Trenches
This convenience factor was definitely the major concern at Parda Federal Credit Union, says Pardaâ€™s CIO Melissa Auchter.
â€œWith a single password, we get a lot of phone calls with people forgetting their passwords. So I couldnâ€™t imagine having a password and then a secret phrase or another password or having them remember several things,â€ says Auchter, who explains that her company installed a strong-authentication solution from BioPassword in response to the FFIEC guidance. â€œConsumers want to be protected, they expect you to protect them, but they donâ€™t want to be inconvenienced. So our focus was on how to make this easy on our membership.â€
Her choice of vendor had largely to do with the fact that their solution required no extra input from the user beyond an initial reenrollment. Carter says that he was in the same boat as Auchter when choosing a solution for ease of use.
â€œWe found out very early on from some research that we did and some that was shared with us that clients didnâ€™t want to carry a hard token around with them,â€ he says. â€œThey wanted to have something that was portable, something that they could easily use. We wanted also to have a platform system that was flexible enough to allow us to layer on additional security measures in the future for wire transactions, high dollar volume transfers and that type of thing.â€
Any good IT person knows that after a deployment theyâ€™ll always get more complaints than compliments, he says.
â€œYou know you have a good solution when itâ€™s been very quiet,â€ he says. â€œWhen you donâ€™t hear much from your clients, you know itâ€™s a good option.â€
He says that the complaints have been minimal with even a small number of clients giving positive feedback on the system.
â€œAcceptance has been very good,â€ he says. â€œWeâ€™ve had a lot of clients whoâ€™ve called saying, â€˜We like it â€“ weâ€™re glad you did it â€“ we feel more secureâ€™â€
Similarly, after reenrolling its membership with the new solution, Auchter only received six negative responses. After a few months, however, she was able to even roll that back to five. â€œI had one of them send me a message back saying â€˜I guess you did the right thing after all,â€™â€ she says.
Carter believes that this kind of acceptance is a thumb to the nose of those who said that extra authentication measures would ruin online banking. In fact, it has done the reverse for his organization.
â€œWeâ€™ve actually seen the opposite trend,â€ he says. â€œWeâ€™ve seen some folks come back to the channel because now they feel more secure in transacting business with us. Itâ€™s been a real benefit for us. I donâ€™t think we lost any clients. Weâ€™d actually gained some back whoâ€™d abandoned the channel because of security issues.â€
Even though banking customers may not always get back to their institutionâ€™s technology department to deliver a pat on the back, surveys such as the Javelin study show that they are increasingly paying attention to security practices.
The banking industry is at a pivotal moment when it comes to authentication. While most institutions have gone through their risk assessments, many of these are still in the process of planning and executing actual deployment of two-factor authentication solutions. If they are able to balance consumer convenience with security and successfully communicate the changes with their customers, they just might have the opportunity to make not only improve the security of online banking, but of all online retail as a whole.
As consumers start to see that banks are using stronger authentication, theyâ€™ll start to expect this of other providers,â€ Tubin says. â€œSo, when you go into PayPal or some other e-commerce sites and they donâ€™t see any type of stronger authentication there, consumers may start to worry. So it will certainly start to drive that sort of mindset.â€
Recent Statistics On Authentication and Consumers
- Less than half of consumers listed â€œLoss of fundsâ€ as their key concern should their bank account be stolen
- Beyond username and password, 48 percent of consumers prefer risk-based authentication
- More than 65 percent of consumers access multiple financial institution accounts online
- Approximately 16 percent of surveyed consumers chose not to bank online due to security concerns