Bank of America's move to stronger authentication delayed

But it still plans to roll out SiteKey for all 14.3M customers by early next year

News Story by Robert McMillan

OCTOBER 21, 2005 (IDG NEWS SERVICE) - Bank of America Corp.'s rollout of a stronger user authentication technology has hit a snag and is now expected to be completed in the early part of 2006, several months later than originally planned.

The Charlotte, N.C.-based bank had expected to make the new authentication service, called SiteKey, mandatory for all of the bank's 14.3 million online banking customers sometime this month, according to Betty Riess, a spokeswoman for Bank of America. "We've made some adjustments in terms of the rollout schedule."

She declined to comment on what caused the delay, saying only that "sometimes when you get to actually doing the implementation, you make adjustments."

Still, a large number of Bank of America U.S. customers are already using SiteKey. The system is in place in the Southeast, Midwest and Southwest, and is expected to be in use in California, the Northeast and the Northwest by year's end, Riess said. Most customers will be forced to adopt the system by year's end, with the final two states -- Washington and Idaho -- going online early next year.

Based on software developed by Menlo Park, Calif.-based PassMark Security Inc., SiteKey is able to recognize when a Bank of America account is being accessed via an unknown computer. It can then generate a predetermined "challenge" question, adding another level of security to the process of logging in. The software also lets users choose a specific image -- a photograph of a dog, for example -- that can then be reshown to users in order to reassure them that they are actually visiting the Bank of America Web site and not some other site masquerading as www.bofa.com.
The SiteKey rollout may put Bank of America ahead of the curve on new federal regulations, which are due to take effect next year (see "Banks get new online authentication guidelines").

Last week, the Federal Financial Institutions Examination Council released guidelines calling for U.S. banks to use a stronger form of authentication than the username and password logins typically used in online banking today. The guidelines call for Internet bankers to add a new form of authentication to their online banking systems by the end of 2006. They do not spell out which techniques to use, leaving banks some leeway to develop their own approaches to stronger authentication.

Though Riess declined to comment on whether or not Bank of America's system meets these requirements, PassMark believes that its software qualifies, according to Mark Goines, PassMark's chief marketing officer.

In addition to Bank of America, PassMark's software is being used by Stanford Federal Credit Union in Palo Alto, Calif., Goines said. Online brokerage Scottrade Inc. is also rolling out the software, he said.