At the moment, Central Bank of India is busy with a proof of concept project of two factor authentication. It aims to start the implementation process by end April 2010. The bank has already evaluated various solutions, and decided to handover the entire two factor authentication implementation to TCS. According to Nath, Central Bank of India will use different vendors for two factor authentication and token solutions. These vendors will be chosen by the implementation partner.
Central Bank of India plans to use a token agnostic two factor authentication solution for reasons of flexibility. "When I mention token agnostic, I'm referring to two factor authentication mechanisms using any type of token. The one time password (OTP) can be sent to customer on his cell phone, browser or even a fax machine. So in this case, browser or cell phone becomes the soft token, and fax machine becomes the hard token," explains Nath.
Two factor authentication token will be selected based on the internal and external customer's risk profile. Risk metrics for all kinds of customers will be developed before implementation of the solution. Risk profiling will be undertaken by the bank. If the customer's (whether internal or external) risk profile is of low sensitivity, he will be given a soft token like the use of cell phone or browser. In case of customers with high levels of sensitivity, the authentication will be performed using a hard token.
Although Central Bank of India is still working on the entire configuration of its two factor authentication solution, it aims to frame time sensitive one time passwords (OTP). "So if OTP is configured for a five minute timeframe, it has to be used within that time," says Nath.
For mobile banking, Central Bank of India has developed a separate grid-based authentication method. A grid is provided to customers on the back of their debit card. The bank has implemented this solution for internal employees, and plans to extend it soon to external customers.
On the need of two factor authentication for internal customers, Nath explains that increasing number of threats are now coming from internal customers. "Besides, it's not a costly preposition, since you anyways set up authentication and hardware security module (HSM) servers for external customer. The cost of a token goes up to hardly Rs 80 for low end tokens," informs Nath. Nath declines to reveal the entire project's cost.