Online transaction security - a different approach

Following on from my comments yesterday about the use of two-factor authentication for online card transactions, it seems the Bank of America (BoA) is taking a different tack, and avoiding the need for a physical token.

The BoA's Sitekey service, which has already been rolled out to 14.5 million of the bank's customers, and should be available to all US customers by the end of the year, requires users to pick an image, write a key phrase and select three challenge questions.

Whenever a bank customer accesses a Web site that accepts BoA cards, the site triggers a secure cookie which will only interact - says the bank - with official Web sites.

Only if the cookie triggers correctly, will the site then take users through the security procedure. Once the procedure is completed, only then will BoA allow the customer to use their card.

The Sitekey service is optional at the moment, but the bank has warned its customers it will become mandatory for all online purchases at some stage in the future.

Bank of America was one of the prime movers in the 1960s when the Visa card system got rolling. If the bank is planning a move to mandatory usage of authentication tokens for online transactions, then you can bet your bottom dollar that it will be a global system within a relatively short space of time.

UK banks and card issuers are reticent to talk about their usage of two-factor authentication tokens, but Lloyds-TSB has expressed satisfaction with its trial - involving 30,000 users - which started earlier this year.

The system is now in active use by customers when logging into the bank's e-banking system, which requires users to tap in an ID, password and a six digit number from the token...