A couple of weeks ago, we wrote about a study that seemed to prove that site-to-user authentication was a broken practice. Well, not surprisingly, the purveyors of such technologies took exception to the notion that their product was ineffective. What follows is a response written by Louie Gasparini, co-CTO of the consumer division of RSA, the security division of EMC that sells Passmark site-to-user authentication technology.
"Following the RSA team's review of the recent Harvard/MIT report on online banking website security, we thought it prudent to offer a few comments; these should help answer questions related to the effectiveness of site-to-user authentication technology.
When the site-to-user authentication technology referenced was developed, the intent was twofold; first, it was meant to assure consumers that they were at the correct/legitimate site. Further, the technology was designed to better protect these consumers - with both visible and invisible authentication - which would run behind the scenes.
Many of today's authentication solutions, such as RSA's Adaptive Authentication, are based on a layered approach to security. While the site-to-user image feature is one of these layers, it is not sold as a stand-alone solution. Site-to-user is always coupled with additional user authentication and behind-the-scenes risk analysis.
While the study did a good job looking at how users interact with one security component banks use on their websites, it did not address the safety practices of the consumers who bank online - nor did it address a bank's entire security strategy. Similarly, if a police officer were to examine the value of an alarm system on the front entrance of an apartment complex without taking a look at building residents' individual door locks or the general habits of the residents, this would not provide a full security picture.
While data in the Harvard/MIT report undisputedly shows that 60 users in the study logged into their bank account even though they did not see their selected image, a Gartner study of 5,000 US adults in August 2006 found that most Bank of America online banking consumers found Bank of America's site-to-user authentication both convenient to use and reassuring to their sense of security. RSA's own research and surveys show similar results."
Because we've already aired our thoughts on the study, we'll let the vendor's argument speak for itself. Leave your opinions in our Comments section.