Shareholder Authentication (published 2015)

• Table of Contents
• Introduction
  • Universe of Transactions
    • Nature of Participants in Shareholder Transactions
    • Types of Shareholder Transactions
    • Means of Transmission of Transaction Requests
• Authentication In Theory
  • Principles of Authentication
    • The First Authentication Factor: What You Know
    • The Second Authentication Factor: What You Have
    • The Third Authentication Factor: What You Are
    • Multi-Factor Authentication
    • Non-Traditional Authentication Factors
    • Mutual Authentication
    • Positive and Negative Authentication Factors
  • Limitations of Authentication
    • Limitations of Authentication Measures in Common Use
    • Limitations of Authentication Measures Generally
• Authentication In Practice
  • Technological Solutions
    • Shareholder Knowledge
    • Hardware and Software Tokens
    • Biometrics
    • Behavioral Patterns
    • Protection of Authenticated Sessions
    • Authentication of Devices
    • Authentication of Transactions
    • Authentication of Fund Groups (Mutual Authentication)
  • Operational Initiatives
    • Overall Threat Environment
    • Risks Associated with Authentication Systems
    • Risks Associated with Particular Transactions
    • Potential Legal Consequences of Transactional Fraud
    • Limiting Potential for Damage from Fraudulent Transactions
    • Protection of Online Transaction Systems
  • Educational Efforts
    • Employee Training and Awareness
    • Shareholder Awareness
• Insurance
• Glossary
• Further Reading

Authentication can be a two-way process. For their part, users may wish to have greater confidence that they are dealing with their financial institutions, and not with fraudsters. To permit users to verify that they are communicating with their financial institutions over secure connections, financial institutions typically obtain a digital certificate from a trusted certificate authority (such as VeriSign or Entrust). The user may then verify that the website’s address begins with “https” rather than “http” and that there is a locked padlock icon in the address bar (and the user may click on the padlock to view additional details about the digital certificate).

Some companies may also use other means of authenticating their identities to their customers. For example, a number of fund groups and other financial institutions offer a service that allows online customers to verify that they are logged into the institutions’ true websites by displaying security images and/or phrases that customers have previously selected or provided.¹

1. See id. Some fund complexes follow this approach. See, e.g., Harbor Funds, http://www.harborfunds.com/docs/HF_Online_Security.pdf  (last visited on Aug. 18, 2015); T. Rowe Price, http://individual.troweprice.com/public/Retail/hUtility/Policies-&-Security/Security (last visited on Jul. 23, 2015). This approach has been in use for a number of years. See Strong Authentication for Online Banking: Success Factors, CSOonline.com (Nov. 1, 2006) (noting that a bank had pioneered this approach in the previous year), http://www.csoonline.com/article/2120887/federated-identity/strong-authentication-for-online-banking--success-factors.html.