Like many financial institutions, Desert Schools Federal Credit Union got its new multi-factor authentication system in place just in time to meet the Federal Financial Institutions Examination Council (FFIEC) 2006 year-end deadline. (See Banks Ready for Compliance Deadline.)

Desert Schools -- the largest credit union in Arizona with over $2.75 billion in assets, 335,000 members, and around 60 locations around the state -- has already registered most of its 140,000 active online banking clients with the new Web-based authentication system, according to Ron Amstutz, vice president and CIO.

"The users have nothing on their end -- everything runs on [the IT] side, and that was very important to us," Amstutz says. "We didn't want anyone downloading any software, cookies, or anything like that."

The Windows-based authentication application -- Bharosa's Authenticator -- uses multiple levels of user verification, including username and password as well as a unique image and text phrase for the user. The KeyPad Authenticator, for instance, looks like a graphical keyboard, but behind the scenes, it's a tool that encrypts the user's authentication data so hackers can't intercept it.

And the new multifactor authentication system not only verifies that users are who they say they are, but it also helps reassure users that they are on the credit union's site, not a phisher's fake one. Credit unions have been prime targets of phishers posing as the member-owned financial institutions.

Amstutz says Desert Schools hasn't suffered any actual phishing site exploits, but parts of its Website have been duplicated by phishers. "We've not had anyone duplicate our online banking logins," he says. "They have duplicated pieces of our Website, but more to gather business information...nothing that would have asked users to put in their password. We've been successful at shutting that down."

Bharosa's TextPad and KeyPad Authenticator tools also authenticate the IP address from which an online member typically uses to do his or her banking. If you go mobile, it raises the authentication bar: "The first time I went on a trip and did some banking from the airport, it asked me a challenge question" as another level of authentication, Amstutz says.

Most of Desert Schools' online banking members initially are using TextPad, which looks like an image of a security badge, and secures their text entry via encryption. "The TextPad gives you an image and phrase, and a box where you type your password," he says. And the credit union plans to eventually move all users to the KeyPad, which prevents man-in-the-middle attacks and keyloggers from sniffing out a user's keystrokes.

"We haven't decided on our timeframe for [this] additional security," says Amstutz, who says the credit union invested nearly "six figures" in the system. "We didn't want to jump" too fast into the new format.

Bharosa's Authenticator suite is priced from .50 to $5 per user. The credit union also runs Bharosa's Tracker fraud-detection software (also priced from .50 to $5 per user) as another level of risk management and security.

The toughest part of the authentication deployment for Desert Schools was the surge in network traffic on the day users started registering. "The first couple of days after the implementation, there were quite a few megs of bandwidth used as people were coming in and choosing images, answering security questions, etc.," Amstutz says. He suggests making sure you have plenty of Internet bandwidth: "We were prepared for a significant increase, but we still reached our limit a few times during those first few days."

His advice for other organizations deploying multifactor authentication: communication, as in getting the word out to your users that the new authentication system is coming.

"We used our on-hold phone messages, newsletters, and we sent out secure messages through our Internet banking software, and postcards" to alert users, Amstutz says. "And the last four days before implementation, every time a user logged into the system he or she got a popup [reminder] they had to click to get to Internet banking."

— Kelly Jackson Higgins, Senior Editor, Dark Reading