April 2013: Private Site Authentication

Retail banks offer different takes on user authentication, as some firms utilize user-selected images, personal phrases, customer activity tracking, and computer usage patterns. In this edition of Bank Monitor Report, we investigate both the basic and more advanced client-authentication systems used by each bank, focusing on how firms protect the login process, and on the efficiency and visibility of the security offered during login. As we examined each bank’s private site authentication processes, we focused on the following issues:

  • Does the public site homepage feature a prominent login field, and are the login and password inputted on a single page or across multiple steps?
  • Are clients required to answer security questions when logging in from an unrecognized computer?
  • Can clients reset their passwords via the public site?

For the initial login process, 82% of banks offer a Log In box on the public site homepage, though not all firms include input fields for both the username and password from the Log In box, while the remaining firms offers a standalone Log In page. Six banks offer private site access via a homepage login box and a standalone login page. Within the login box or standalone login page, every firm offers a link to a password reset tool.

A two-factor authentication process, where account holders are required to enter their username and password on separate pages, with the password page including a security image and phrase, is utilized by six firms. Additionally, seven firms in this report require customers to answer security questions when accessing the site from an unrecognized computer.

Additional key findings from our report include:

  • Two firms employ a virtual keypad for entering credential information.
  • 76% of banks require users to include both letters and numbers in their password.
  • Four banks do not offer a way for users to update or access a forgotten User ID.