Site Authentication Method Revealed to Be a Bust

The New York Times reports today (free subscription required) that a new joint study out of Harvard and the Massachusetts Institute of Technology claims that a popular authentication technique is failing its users. Site authentication images - user-chosen images that appear on a Web site when a user logs in to prove the authenticity of the site

The idea is that if customers do not see their image, they could be at a fraudulent Web site, dummied up to look like their bank's, and should not enter their passwords.
The Harvard and M.I.T. researchers tested that hypothesis. In October, they brought 67 Bank of America customers in the Boston area into a controlled environment and asked them to conduct routine online banking activities, such as looking up account balances. But the researchers had secretly withdrawn the images.
Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns.

Ouch! Looks like Bank of America, ING Direct and Vanguard (who, according to NYT all use site authentication images) are going to want to rethink their authentication strategies. Bank of America's Sitekey authentication push last year was an authentication image implementation by vendor Passmark (since acquired by RSA). Perhaps further customer education efforts can remedy the problem, but for now it remains clear that the online customer is again proving to be the weakest link in the chain.