That's why for years I've been saying that I won't sign up for online banking until a bank offers me strong authentication. Keep your $50 new-customer incentive or the low-end iPod, I say. Instead, I want an RSA token that generates a security code that I punch into a website, in addition to my user name and password. Or a keyfob that I stick into the USB slot of my desktop computer whenever I move funds. Heck, I'd even proffer a fingerprint if the bank would send me the biometrics reader. And I know I'm not alone. Larry Freed, president of the research group ForeSee Results, says that security concerns are slowing the growth of online banking. "People that are not using online banking are very concerned with security," says Freed, a former banking CTO.

In October 2005, it looked like my wish might finally come true. The U.S. Federal Financial Institutions Examination Council, or FFIEC, issued a requirement that banks strengthen the way they authenticate online transactions. (See "Second Thoughts on Second Factors" for my colleague Scott Berinato's rich analysis of what the FFIEC called its "guidance.") The FFIEC move was widely interpreted as a mandate that would push more banks to two-factor authentication. Hip, hip, hurrah!

Now-just six months until the FFIEC's end-of-year deadline-seemed like a good moment to take stock of the current consumer offerings for online banking. I spent several hours looking at what Fortune 100 banks tell prospective online banking customers about security, liability and authentication. This wasn't a scientific study, mind you. I didn't set out to get an insider view of which banks are the most secure or have the best anti-fraud defenses, nor do I have any way of gauging how well banks actually keep the promises they make. I simply looked at what the websites and marketing materials say about each bank's online practices. Unfortunately, it appears that we still have a long way to go before most online banking sites are "hard" enough for me to use.