I have heard some rumblings about letting a customer choose their own Log-In ID and passwords and was hoping to get some feedback. Our internet banking product allows a customer to change their password so they have complete control over that (as long as it meets the minimum character length).

Currently, we (the bank) assign the Login ID to the customer and do not allow them to change it. It has been suggested by our management to allow the customer to create their own Login ID at the time of enrollment. I have heard rumblings that this is would not be a good practice.

Has anyone else heard this same rumbling or is anyone willing to share what their bank's practice is? Is there any regulatory guidance out there?

Thanks for your consideration

Does your bank only limit the ability to change information to the "Login ID" only or to the password as well? The primary concern would be that if both are set by the bank and not able to be changed by the user (customer), there is a potential for fraud by employees of the bank.

Currently, the bank assigns the Login ID and that cannot be changed by the customer. The password is under the control of the customer and is unknown to the bank.

My concern is if we now let the customer control both the Login ID and password, as managment is suggesting, we may be more open to Login ID and password combos being compromised because customers will tend to use the same Login ID and password combo they use at other potentially un-secure websites.

There is nothing wrong with requiring that the customer keep the initial Login ID provided since they are capable of changing their password, actually it is common practice among banks to do so.

However, you should be sure that the Login ID is not something that can be easily tied to the customer (i.e. last four digits of the social or account number etc.)rather it should be rather generic.

What do you permit for User IDs? Customers don't like to use SSN or name, it can identify them easily.

User IDs can easily be randomly generated groupings of letters, numbers and other characters that can provide non-specific, non-identifying user names for bank customers. Also, it is always better to use such combinations not only for user names but passwords as well as they are harder to break by hackers. (Example S7#f9&@A) Combinations such as these can be memorized by the user, but are not something that would be easily associated with them as would their child's name, phone number, etc.

Does anyone see problems with giving the customer control over both the Login ID and the password as opposed to the customer controlling the password and the bank controlling the Login ID?

Our online system assigns a 12-digit login ID but the customer has the option of changing it to an alias. Our system also assigns a temporary password the customer must change at first login. The 12 digit ID is always usable as is the alias.

I don't see a problem as long as the system does not allow duplicate Login ID.

You have to anticipate that some customers will not align their user IDs and passwords as you would hope, just as some will write their PIN on their debit/ATM card and some will give others their user ID and passwords. It is just a part of dealing with customers. It is a good idea to inform them of the dangers and risks of making their passwords, etc. too easy to break just as you would tell them that it is something that should be memorized rather than kept on a piece of paper attached to the computer screen. There are risks to everything, it is a management decision as to what steps you are going to take to reduce those risks.

Do you think that combination like this:
"Example S7#f9&@A" are more likely to cause a customer to write it down given the number of ids and passwords customers have to deal with these days? How many passwords like that can a customer remember? Not many. I would prefer to have strong password controls. Signons like that tend to annoy customers, me included. I have 2 bank signons, my mortgage, several credit cards, insurance, a number of newspaper signons including some paid subscriptions (Wall St. Journal, for example), and several subscription genealogy signons, as well as bankers online, Protiviti, American Banker, Sheshunoff, I could go on and on. And you would want me to have a unique xvg97*2r2d2 type signon for every site? I would have to write them all down.

Kaybee,

What you say is true. It is much more difficult to remember such passwords and IDs which often does result in the user writing it down and desiring to change it. But it is also much more difficult for a hacker to break such codes. They do not need to be quite so extreme as the one I listed, however a good password does contain a combination of such things that would not easily come to mind.

I work with persons who do pen testing for many banks and assorted other companies and it takes much longer to break into a persons account if they have such a password than it does if their password is something such as "kansayaku". (Not to say that the customer likes the password, just that it is more secure from this type of intrusion.)

It is a trade off...each bank needs to find the level of security vs convenience they are comfortable with. Do any of you use 2 factor authentication at your banks? I am considering purchasing tokens that we would distribute to our customers that have an ever-changing passcode that you need to log in. I see the down side with the extra "thing" the customer has to carry with them and the added cost, but it may be worth it. Any thoughts on those?

Our customers are allowed to choose their Userid's and password's. Upon enrollment, the Userid cannot be changed by the customer or the bank. The customer's password expires periodically and the customer changes it at that time. The system will lock them out after a certain # of attempts. The system does not allow for duplicate Userid's either.

Has anyone taken a look at Bank of America's new second factor authentication?