Helping people with computers... one answer at a time.

Sitekey is a technique used by many financial institutions to protect your account. How it decides to ask you additional questions can be a puzzle.

Lately, even if all cookies have been deleted, my online banking site doesn't bother to ask me my security questions but goes straight to the password entry screen. If I logon from a different machine, however, it does ask the security questions. This also seems to happen with the site of my credit card company. What could possibly be causing this?

Sitekey is a technique being used by many financial institutions as a way of more securely making sure you are who you say you are when you login. They claim that it's stronger security; however, some security experts disagree with that assessment.

Stronger or not, it's there. How it works and how it decides to ask you your additional questions are all kind of mysterious.

To start with, your question implies an assumption - an assumption that may not be true.

You're assuming your bank is using cookies.

Here's Bank of America's description of what they do:

When you sign in, we attempt to recognize your computer as one you've used before to access Online Banking. You'll find the choice to remember the computer when you enroll, or when you sign in from a computer we don't recognize. We use a variety of methods to recognize the computers that you use to ensure your safety and protection.

Note the phrase "We use a variety of methods...". Wonderfully vague, no? Other banking institutions use similarly vague descriptions.

Certainly cookies might be used in a situation like this. Personally I'd be a little concerned if they were, since cookies are a convenience but certainly not necessarily a security tool. For example, I don't think it'd be too difficult for someone targeting your bank to spoof the cookies needed to get past that portion of the authentication scheme.

My guess (and I must stress it's only an educated guess) is that cookies are not being used. Additional information, perhaps the type of browser you're using and/or your IP address, might be recorded at the bank rather than on your computer. That information might be associated with your account. Then, the next time you login to your account using the same IP and same browser the bank might assume it's from the same place and not need to ask you the additional questions.

An important point here is the additional information used here does not by itself identify you. All it does is provide the bank with data that increases the probability that you are accessing it from the same computer you were before - a computer you told the bank to remember.

The ultimate goal of Sitekey is simply to require additional authentication beyond your user name and password. If the bank can reasonably assume that you're probably coming from a computer you previously said to trust, then that might be enough. If not, then asking you additional security questions provides that extra level of security.

For definitive answers on why, or why not, your computer isn't asking you additional questions you'll need to ask your bank since the implementation is up to them.

Article C3172 - October 8, 2007 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

2 Comments
Ken B
October 9, 2007 8:00 AM

My bank uses something called a "SiteKey" as well, but it's for exactly the opposite reason. It's not for the bank to double-check your identity, but rather for you to verify the bank's identity. (That is, it's not a phishing site.)

The login page asks only for your user name, and not for the password. After clicking "log in", you are then given a second page, which shows the "SiteKey" you chose when signing up for online access. It consists of a picture (which you chose from a list) and a phrase (which you typed in), and asks for your password. A phishing site would have no way of knowing what picture and phrase are associated with your username on that bank. (Well, not unless they had some spyware on your system which discovered them when you logged in. But if they had that much access to your computer, they could simply capture your username and password and wouldn't need the phishing site.)

Ziggie
October 9, 2007 9:37 AM

I think there is something else there too, in addition to IP address and browser.

My computer travels back and forth between work and my home network. The banks never seem to recognize me when I switch networks. Even though I check the "remember this computer" box.

Why wouldn't the bank assume I'm using two different computers (different IPs, same browser though) and remember both as trusted machines? Something else that is triggering it (same machine, different network, better ask again) is at work.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.