Large US Retail Bank To Bet On PKI With Arcot
October 2, 2006

Glenbrook's Jim Salters files this report:
Even if you've been following the authentication space and the industry dash to comply with the FFIEC Authentication Guidance, it's likely that you've never heard of Arcot. But that may soon change. According to the company, a major bank in the US will soon announce their plans to deploy ArcotID technology to its millions of retail banking customers. And while this might sound like just another customer win for an authentication solution provider, this appears to represent a dramatically different authentication strategy than we've seen so far from a large US bank, with interesting implications.

Arcot's ArcotID technology delivers and manages "software smartcards", which securely store one or more digital certificates in a small file, managed with a browser plug-in on a customer's PC. After an initial enrollment process in which the customer installs the plug-in and sets up challenge responses for when they are away from their primary computer, the user experience is virtually identical to the standard username/password process they are used to. The customer impact and complexity is minimal, however, a powerful cryptographic capability has been established "under the hood".

Initially, in order to meet the impending year-end deadline set by the FFIEC, the bank will store the certificates in its own data center, and rely on transaction monitoring (looking at the customer's IP address and other attributes) to unlock the certificates. However, the bank will have made the necessary changes to their internal systems to take advantage of the certificates in the future.

Once the bank elects to deploy the ArcotIDs to its millions of retail customers (likely next year), it will have become the first major bank that we know of in the US to deploy millions of digital certificates to consumers. The question becomes, what else do they have in mind and what does their business case look like?

This yet-to-be-named bank is probably investing more in this type of solution compared to its peers (primarily in updating their internal architecture), but they clearly see a payoff that justifies the investment. They will not only have introduced stronger cryptographic-based two-factor authentication to mitigate current and future security threats, but they will have created the opportunity to exploit those certificates in new applications that most other banks will probably not be prepared to offer.

For example, digitally signing electronic documents could dramatically reduce the cost and time required to print, sign, and exchange documents like loan or account applications. Together with an exclusive deal announced earlier this month between Arcot and Adobe that will make signing documents with ArcotIDs possible directly from Acrobat and Adobe Reader 8, this could become a key source of cost savings and speed. In addition, non-repudiation and audit trails could be established for high-risk payments or other transactions previously considered too risky for online banking. Encrypted statements or other messages could be delivered to customers electronically. And the digital certificate could make two-way SSL possible, which security experts seem to agree would significantly and elegantly mitigate the risk of emerging threats like man-in-the-middle attacks.

While most large banks appear to be converging on solutions comprised of mutual authentication (image and text phrase replay), transaction monitoring, and knowledge-based or secret questions when suspicious activity is detected, this bank will have taken a vastly different approach that could produce a significant competitive advantage in terms of not just security, but cost savings and new revenue opportunities as well.

That is, assuming everything goes according to plan. Watch for more details when the announcement becomes public in the coming weeks...