Bank of America has just done a great great thing with their multi factor authentication solution. In a nutshell, they are now allowing customers to optionally sign up for an “out of band” second authentication factor. Is’nt that great! We are completely serious … this is a great step. And since it is optional for users, it sidesteps the whole “oh its too much trouble for users” issue. If users want the added security and are willing to deal with a little extra work, then bingo, they can now do that at Bank Of America.

The new solution is called SafePass ™. SafePass ™ delivers a one time use code via a text message to a user’s mobile device (aka phone). The code can only be used once and is only valid for 10 minutes. This is very similar to the hardware style tokens such as those from RSA and others where you press a little button on the device and get a one time code (typically good for 60 seconds or so).

If you recall the discussion in the previous post, the point was made that “typical MFA” solutions as deployed by banks and credit unions today do NOT really protect a user if there are trojans/viruses involved. And that the only real way to beat some of these eaves-dropping viruses is via some form of out of band authentication.

Bank of America has really differentiated here, and we applaud them wholeheartedly for that !

Many institutions are busy having recursive meetings and discussion where they debate the merits of out of band authentication then lament the added complexity, and they never break out of this circle. Ok everyone, BofA has done it, so it’s ok for you to do it now.

Or as SouthWest would say “Ding, you are now free to implement of out of band authentication”. (note, that was a play on “Ding, you are now free to move about the country”).

This entry was posted on Monday, September 10th, 2007 at 3:16 pm and is filed under security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.