I'm researching authentication methods, trying to determine the right method for allowing customers to make payments...
online. Which, in your opinion, is best?
It sounds like you're trying to strengthen your authentication method for online banking to comply with the Federal Financial Institutions Examination Council (FFIEC) guidance.
The FFIEC recommended that two-factor authentication be used for all online banking, in your case, for making payments. If you're not with a bank, two-factor authentication is still a possible option for protecting online commerce, like your business.
But two-factor authentication isn't always the best approach.
To summarize briefly, there are three authentication factors: something you know, something you have and something you are. A user ID and password are examples of something you know. A one-time password (OTP) token or smart card is an example of something you have. Your fingerprint, voice or facial pattern is something you are. Combining two of these methods is called two-factor authentication.
The idea behind two-factor authentication is defense-in-depth. If one factor is breached, the other can still block malicious access.
For Web sites, two-factor authentication can mean customer-issued OTP tokens, or even simple biometric tokens connected to PCs by USB ports. The biometric tokens, which both resemble OTP tokens in size and appearance, check the user's fingerprint.
But both options present problems. First, both require substantial investment in software and hardware to deploy, and they will require ongoing maintenance after that. Second, OTP tokens aren't foolproof. They're susceptible to man-in-the-middle (MITM) attacks, and can sometimes still be circumvented by phishing. Biometrics, on the other hand, despite becoming more lightweight and consumer-friendly, are still difficult for customers to accept.
Before undertaking any of these deployments, do a thorough risk analysis of your online payment system. What types of payments can be made online? Can the Web site only be used to pay bills for a single account, as for a single merchant or credit card, or can money be sent to third parties? Are there limits to the amount of money that can be transferred online?
If the risks are low, as in a single merchant site where only payments can be made, then using user IDs, passwords and SSL would sufficiently protect your site. However, if the risk is greater, as it is with money transfers, consider two-factor authentication, or fraud-monitoring systems.
Fraud-monitoring systems are transparent to the user, work behind the scenes and still allow the customer-friendly features of user IDs and passwords. They can be integrated into your existing Web site with minimal development and less overhead than two-factor authentication systems.
For more information:
Related Q&A from Joel Dubin, past SearchSecurity.com expert
The security of RFID chips and smart cards may not be fully mature, but there are best practices to keep facilities safe. Identity and access ...continue reading
Picture passwords for mobile device security aren't a new idea, but they have been recently improved. Identity and access management expert Joel ...continue reading
Hacked smart cards are a large potential threat to enterprises that utilize them. Learn how to thwart smart card hackers.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.