Helping people with computers... one answer at a time.
Sitekey is a technique used by many financial institutions to protect your account. How it decides to ask you additional questions can be a puzzle.
Lately, even if all cookies have been deleted, my online banking site doesn't bother to ask me my security questions but goes straight to the password entry screen. If I logon from a different machine, however, it does ask the security questions. This also seems to happen with the site of my credit card company. What could possibly be causing this?
Sitekey is a technique being used by many financial institutions as a way of more securely making sure you are who you say you are when you login. They claim that it's stronger security; however, some security experts disagree with that assessment.
Stronger or not, it's there. How it works and how it decides to ask you your additional questions are all kind of mysterious.
To start with, your question implies an assumption - an assumption that may not be true.
You're assuming your bank is using cookies.
Here's Bank of America's description of what they do:
When you sign in, we attempt to recognize your computer as one you've used before to access Online Banking. You'll find the choice to remember the computer when you enroll, or when you sign in from a computer we don't recognize. We use a variety of methods to recognize the computers that you use to ensure your safety and protection.
Note the phrase "We use a variety of methods...". Wonderfully vague, no? Other banking institutions use similarly vague descriptions.
Certainly cookies might be used in a situation like this. Personally I'd be a little concerned if they were, since cookies are a convenience but certainly not necessarily a security tool. For example, I don't think it'd be too difficult for someone targeting your bank to spoof the cookies needed to get past that portion of the authentication scheme.
My guess (and I must stress it's only an educated guess) is that cookies are not being used. Additional information, perhaps the type of browser you're using and/or your IP address, might be recorded at the bank rather than on your computer. That information might be associated with your account. Then, the next time you login to your account using the same IP and same browser the bank might assume it's from the same place and not need to ask you the additional questions.
An important point here is the additional information used here does not by itself identify you. All it does is provide the bank with data that increases the probability that you are accessing it from the same computer you were before - a computer you told the bank to remember.
The ultimate goal of Sitekey is simply to require additional authentication beyond your user name and password. If the bank can reasonably assume that you're probably coming from a computer you previously said to trust, then that might be enough. If not, then asking you additional security questions provides that extra level of security.
For definitive answers on why, or why not, your computer isn't asking you additional questions you'll need to ask your bank since the implementation is up to them.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.