Skip to content

Making Sure Your Customer Authentication Method is Commercially Reasonable

Answered by: 

We are nervous about the method we are currently using to authenticate our online customers. We require the customer to put in their user name and a four letter password. Do you think this is sufficient?

Your choice of authentication method should be designed to achieve three objectives: l) it should protect your customer's privacy by minimizing the risk of an unauthorized person viewing your customer's account; and 2) it should protect your institution and your customer from potential online fraud; 3) it should promote the enforceability of your electronic agreements and transactions.

The regulators, in the August, 2001 FFIEC "Guidance on Authentication in an Electronic Banking Environment", cite several different methodologies or tools now available to authenticate customers. Although the regulators do not require the use of any specific methodology, they do note that reliable customer authentication is imperative for financial institutions engaging in any form of electronic banking or commerce.

If you are going to rely upon passwords and PINs, keep in mind that three factors contribute to the security they provide:

  • Password secrecy;
  • Password length and composition;
  • System controls.

Whether your current system is sufficient depends largely on what your system controls are, as well as what efforts you are making to enhance password secrecy and adopt prudent guidelines for password composition. In terms of password length alone, the four character password is not exactly bulletproof.

While speaking at a seminar two weeks ago, I conducted an informal, unscientific poll of the approximately 60 banks represented to find out which of the methodologies noted in the FFIEC guidance were being utilized:

  • None were currently using biometric identifiers, although some were exploring their feasibility;
  • None were currently using tokens for consumer customers, but a few were beginning to use key tokens to authenticate commercial customers using their online cash management system;
  • None had begun to rely upon digital certificates using Public Key Infrastructure;
  • All were relying upon passwords for authentication. Approximately 50% were still allowing 4 letter passwords. A few were requiring 8 characters.

So, for what it's worth -- and as I say, this was decidedly unscientific, your current password length falls within the norm.

If you elect to use passwords and PINs to authenticate customers, there are a number of things you can do within the realm of the three factors above to increase security. Here's the advice about passwords I've been giving in seminars for the last five years:

There are five main types of passwords:

  • Passwords created by the user;
  • Passwords that are machine generated;
  • Question and answer codes;
  • Half and Halves;
  • Passphrases.

Let's examine the nature of each of these types of passwords and their advantages and disadvantages.

Passwords created by the user
Passwords created by the user typically have the advantage of being easy to remember because the user creates them and the word or phrase usually has some type of meaning to the user. The high recall rate is an advantage. On the other hand, the very thing that makes the password easy to remember also makes it more vulnerable to cracking by a hacker. People are simply too predictable.

Round up a group of 100 computer users. Ask them to select a password. You can almost guarantee that among those chosen will be spouse's names, kid's names, birthdates, home addresses, pet names, car models, maiden names, and any word that appears within viewing distance of the person's computer. If someone wants to break into a computer system badly enough, a little research will usually yield the information necessary to come up with a working password on the system.

There are several ways you can make user-created passwords more secure:

  • You can require the password to consist of a combination of numbers and letters
  • You can require the password to consist of a combination of upper and lower case letters
  • You can require the password to be a minimum length -- such as eight characters
  • You can strongly discourage the use of the most commonly used passwords, by creating a list of those that should be forbidden, starting with the ones listed above

Passwords that are machine generated
Passwords created by machine have a higher degree of security from the standpoint they are random and will generally consist of nonsensical combinations of letters and numbers that are in no way related to the user. That makes it nearly impossible for hackers to either guess the password by knowing information about the user or to use software that compares passwords to dictionary entries to find a word chosen as a password:

Unfortunately, studies have shown that machine-generated passwords are much more difficult to remember and they increase the likelihood that the users will feel compelled to write them down somewhere in order to keep track of them. Written passwords leave a trail that renders them insecure. Just as a high percentage of customers write PIN numbers on the back of ATM and debit cards, computer users with random passwords will make a written record of them somewhere, generally close to their machine.

If you do choose to use machine generated passwords, keep them fairly short.

Question and Answer codes
With a question and answer code password system, the system administers a set of questions to the user that the user must answer in a particular way to gain access. Questions can range from "What is your favorite color?" to "Where were you born?" The questions should, ideally, be obscure enough that they would defy a clever hacker's research attempts. On the other hand, the information must be such that the user will not have difficulty remembering it and getting it right.

Often, Q&A code schemes are designed so that the questions pop up at numerous times during a day. While this makes the network more secure, it is also extremely annoying for users and can create unwanted delays.

Half and Half
The "half and half" or combination password uses a word that the user chooses and combines it with a nonsense syllable generated by the machine or the network administrator. An example would be "rdScookie". Since part of the password is user generated, it has a higher recall rate than one that is purely random. Instead of the user being required to memorize a lengthy nonsensical set of numbers and letters, the user must simply remember the word they chose, plus a few additional characters. If the number of machine-generated characters is kept fairly small, this type of password is generally workable.

It is easy to see why this type of password has a higher degree of security than one that is purely created by the user. Instead of the word "book", for example, you would end up with something like "book1xi3". Even hacker software has a tough time cracking these passwords.

Passphrases can offer the most secure alternative of all. Rather than a simple word, a passphrase is a combination of words, such as "I was tall when I was twelve." The sentence should be something that the user will remember, but should not be a "trademark" sentence or expression that the user commonly says.

Passphrases, being phrases rather than single words, have a context about them that makes them easier to recall. A passphrase might be a line from a favorite song, a proverb learned as a child, or the punch line of a joke. Guessing a passphrase can be next to impossible and hacker programs aren't equipped to crack them either.

On the negative side, passphrases are lengthier and thus take longer to type in. One typo means the user has to start over again, and this can lead to frustration and loss of productivity.

There is another option that is a variant of the passphrase that combines the best features of a normal passphrase with the simplicity and ease of use of a normal password: the passphrase acronym.

With a passphrase acronym, the user comes up with a sentence, then creates an acronym from it to use as the password. In the example given above, "BankersOnLine is my favorite Internet site." the acronym would be "BIMFIS." Easy to remember, quick to type, impossible to decipher, the use of the passphrase acronym is perhaps the best choice of all.

Miscellaneous Password Tips
A few final considerations:

  • Make it easy for your customers to change their own password. Make that feature prominent. Remind them in your literature that they can change their password and should do so any time they believe their password may have been compromised.

  • Consider the wisdom of requiring users to change their password periodically. There's quite a debate over this. Some experts believe it's essential for security. After all, the longer a password has been in used, the more vulnerable it is to compromise. On the other hand, if you force a customer to change passwords periodically, the password will be harder to remember and there's a greater likelihood the customer will write it down, which makes it inherently more insecure. Check your system's capability to see if it even allows you to force a password change periodically.

  • Customers should be reminded never to write down passwords.

  • Customers should be reminded never to share or disclose passwords either to someone they know or to someone who may be pretending to have a need for the information, such as someone posing as a system administrator for your bank.

First published on 2/11/02

First published on 02/11/2002

Banker Store View All

From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

Banker Store

hot right now

image description

Looking for effective, convenient training on a particular subject?

BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

Search Topics