One of the main security problems with passwords is that people rarely change them. When it comes to online banking, some financial institutions have tried to solve this by offering tokens, or small devices that produce one-time passwords. Now, the bank with the most online customers, Bank of America, has rolled out new Internet authentication where the bank sends a six-digit pass code to users’ cell phones. The technique—already popular in some foreign countries—may be the strongest form of authentication yet. 

The greatest strength of the method is that it’s out-of-band, or is sent through a different channel, says George Tubin, a Tower Group research director, on Bank of America’s new service, SafePass. “It will add tremendous strength to what the bank has in place. To get into the account, a hacker would need a user name and password and then have access to your cell phone.”

Because the password can be used only once, and expires ten minutes after being issued, it also protects against the kind of phishing attacks that take users to a fake Web site and capture a username and password. It may also help to thwart Trojan horse software that gets onto a person’s computer and uses a keylogger to capture user names and passwords.

If a suspicious transaction occurs, the real account owner will receive an instant message on their phone. This optional service can be set to help secure money transfers, authorizing new payees in bill pay, and signing in from a computer unrecognized by the bank.

One strength of the method is that so many people carry cell phones, says Tubin. Customers have to make a point of carrying tokens, he says, and they also cost more for a bank. Tokens are useful for customers who make frequent trades, such as online brokerage clients, he says.

The bank launched SafePass mainly in response to customer demands for more security capabilities, says Mike Pennella, a senior vice present and e-commerce products executive with Bank of America. The product will work in conjunction with another security feature, SiteKey, which the bank introduced in 2005. It contains an image, a brief phrase, and a challenge question, helping the bank to verify the customer’s identity and confirming that the site is legitimate.

It’s too early to predict SafePass’s adoption rate, says Pennella. But if other countries are any indication, it could catch on more widely in the United States.

The method has been particularly popular in Australia and New Zealand. A major reason is that both countries tend to process transactions in a matter of hours, according to Tubin, as opposed to in the United States, where transaction processing typically takes days.

In New Zealand, ASB Bank rolled out its NetCode service, with technology from RSA Security, about three years ago. The bank began requiring it for high-value transactions at a time when Internet fraud wasn’t a major problem, says Peter Muggleston, acting head of technology. When attacks became more prevalent about six months later, “we were praised by the media for being cutting edge.”

The bank won customer acceptance by mailing letters and posting information online about the risks of Internet fraud. About 35 to 40 percent of customers are currently enrolled in the service, which is required for online transactions over $500. “Most customers now appreciate and feel safe with it,” he says. 

Even as authentication methods grow stronger, new threats will emerge. While SafePass would protect against “steal-the-password” Trojans, for example, it probably wouldn’t guard against other malicious software that conducts its own transactions once users authenticate, says Bruce Schneier, security author and CTO of BT Counterpane. Companies using strong two-factor methods, such as cell phone passwords, will likely see a drop in fraud in the near term, he says, “but it won’t last indefinitely.”