The fastest growing segment of multi-factor authentication customer base is comprised of organizations who had previously adopted challenge / response or site authentication image-based systems, according to Sestus Data Company. While many U.S. financial institutions still have not implemented multi-factor authentication for their websites, others are now discovering that challenge / response or image-based systems they rushed to implement before the deadline fail to meet recent regulatory guidelines. Under the weight of increased regulatory scrutiny, these financial institutions are now turning to Sestus, one of only a handful of vendors whose products meet the regulatory definition of multi-factor authentication.

    In August of 2006 the FFIEC published supplemental guidance in which it clarified what it considered to be true multi-factor authentication. In their supplement, the FFIEC wrote, "True multifactor authentication requires the use of solutions from two or more of the three categories of factors", i.e. something the user "knows" combined with something the user "has" or "is".

    In the months before the FFIEC issued their supplemental guidance, a host of solutions had been introduced to the market promoting variations of the challenge / response approach to authentication, usually mixed with image verification. Most important of these was Passmark Sitekey, a company that rode to notoriety largely on the strength of its early adoption by Bank of America.

    Many challenge / response systems make no pretense of retrieving anything the user "has" or "is", relying entirely on things the user "knows". They solicit login IDs, PINs, and personal data at different times in the process, obscure the entered data with on-screen keypads sliders and dials, and show pre-selected user images when finished. Their vendors assure ill-informed buyers that their solution will satisfy the regulatory requests and they cite well-known organizations such as Bank of America to substantiate their claims.

    Challenge / response systems work by asking information in response to challenge questions. Some of these systems try to retrieve cookie files and other information previously stored on the user's computer, thus retrieving something the user "has". When this information cannot be found, as would be the case for millions of internet users who regularly clear their web browser's internet cache, these systems fall back on soliciting more of what the user "knows" in the form of challenge questions, such as "What is your mother's maiden name?" If answered correctly, they often show a pre-selected image to the user, supplying yet another piece of information the user "knows". Even the most successful challenge / response systems are therefore only occasionally multi-factor, an inconsistency that falls short of the regulatory requirements.

For more information visit http://www.sestusdata.com/