I'm researching authentication methods, trying to determine the right method for allowing customers to make payments...
online. Which, in your opinion, is best?
It sounds like you're trying to strengthen your authentication method for online banking to comply with the Federal Financial Institutions Examination Council (FFIEC) guidance.
The FFIEC recommended that two-factor authentication be used for all online banking, in your case, for making payments. If you're not with a bank, two-factor authentication is still a possible option for protecting online commerce, like your business.
But two-factor authentication isn't always the best approach.
To summarize briefly, there are three authentication factors: something you know, something you have and something you are. A user ID and password are examples of something you know. A one-time password (OTP) token or smart card is an example of something you have. Your fingerprint, voice or facial pattern is something you are. Combining two of these methods is called two-factor authentication.
The idea behind two-factor authentication is defense-in-depth. If one factor is breached, the other can still block malicious access.
For Web sites, two-factor authentication can mean customer-issued OTP tokens, or even simple biometric tokens connected to PCs by USB ports. The biometric tokens, which both resemble OTP tokens in size and appearance, check the user's fingerprint.
But both options present problems. First, both require substantial investment in software and hardware to deploy, and they will require ongoing maintenance after that. Second, OTP tokens aren't foolproof. They're susceptible to man-in-the-middle (MITM) attacks, and can sometimes still be circumvented by phishing. Biometrics, on the other hand, despite becoming more lightweight and consumer-friendly, are still difficult for customers to accept.
Before undertaking any of these deployments, do a thorough risk analysis of your online payment system. What types of payments can be made online? Can the Web site only be used to pay bills for a single account, as for a single merchant or credit card, or can money be sent to third parties? Are there limits to the amount of money that can be transferred online?
If the risks are low, as in a single merchant site where only payments can be made, then using user IDs, passwords and SSL would sufficiently protect your site. However, if the risk is greater, as it is with money transfers, consider two-factor authentication, or fraud-monitoring systems.
Fraud-monitoring systems are transparent to the user, work behind the scenes and still allow the customer-friendly features of user IDs and passwords. They can be integrated into your existing Web site with minimal development and less overhead than two-factor authentication systems.
For more information:
Dig Deeper on Two-factor and multifactor authentication strategies
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ...continue reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ...continue reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.