Article

Second factor authentication on Lakshmi Vilas Bank's online plans

Dhwani Pandya, Principal Correspondent
Lakshmi Vilas Bank (LVB), a leading scheduled commercial bank, plans to adopt SMS based second factor authentication (two factor authentication) technology for its internet banking

    Requires Free Membership to View

transactions. The bank which has strong presence in the state of Tamilnadu has already completed a proof of concept project for this second factor of authentication. It plans to go live with the second factor authentication solution by end of June 2010.

More stories on two factor authentication
Challenges of two-factor authentication

One-time password tokens: Best practices for two-factor authentication

Safe mode: Two-factor authentication's danger zone

Two-factor authentication and compliance: What it is and isn't
In recent times, LVB has observed significant growth in financial transactions through its Internet banking facility. "With Reserve Bank of India's RTGS and NEFT systems coming into place, we saw a significant increase in the number of financial transactions (which were of high amounts as well as risky). So there was a need to bring in a second factor of authentication to ensure safety of financial transactions on internet," says B Murali Nair, the chief technology officer of Lakshmi Vilas Bank.

Earlier, LVB used a 'maker-checker' concept for authentication of transactions, where one person used to initiate the transaction, whereas another person authenticated it. This was mainly used for corporate customers. For retail customers, LVB simply used the username, password and transaction password combination.

In order to meet the new second factor authentication requirement, LVB has decided to use Snorkel application from Odyssey Technologies, which will generate a dynamic password immediately after the transaction is authorized by second checker (in the case of corporate users). This dynamic password will be send to a mobile registered with the bank, which has to be provided to complete the transaction. Nair informs that this second factor authentication will become compulsory for all corporate account transactions. However, in the case of retail accounts, the bank plans to set a maximum transaction amount limit of Rs 1,00,000. For transactions beyond this amount, users need to satisfy this additional factor of authentication.     
Before zeroing in on the SMS based second factor authentication solution, LVB also evaluated other leading authentication solutions available in the market which includes hardware based tokens and Java based software applications. "However, we found that maintenance as well as user comfort issues when it comes to hardware tokens for second factor authentication. Replacing missing tokens, customers forgetting to carry tokens, or tokens getting damaged were some of the issues.  Java based applications were a costly affair, as they charged on the basis of numbers of users," explains Nair.     

Snorkel application is basically a Public Key Infrastructure (PKI) gateway to Internet applications that can be deployed with no change to the existing application setup. Nair informs that unlike other applications, Snorkel does not require integration with the core banking application. So there was no need to develop a new interface for the second factor authentication layer, resulting in lesser costs.

The bank is currently busy addressing issues related to SMS response time. "Although the SMS response time it is 5 to 7 seconds in most cases, sometimes it was more than 20 seconds during our second factor authentication solution's POC. This is not acceptable, as it may irritate the customer.  The glitches are basically on the service provider side, and we are trying to fine tune the application to improve response times," says Nair.