Bankers may well look back at 2006 with a certain amount of nostalgia for the good old days, when online banking security consisted of simple user passwords and four-digit personal identification numbers.

In October 2005, the Federal Financial Institutions Examination Council issued guidelines requiring every bank and credit union in the country to establish “multi-factor authentication” measures to verify the identity of their online customers, with a Dec. 31, 2006 deadline. The guidelines will become part of the criteria examiners use to evaluate all institutions beginning in 2007.

As banks respond to new federal guidelines designed to reduce the threat of identity theft, many banking customers are already being asked an additional security question when they log in to their accounts. Additionally, many banks have begun asking customers to choose a unique picture or phrase that will appear each time a customer logs in to assure the customer that it really is the bank’s Web site.

Iowa Banking Superintendent Tom Gronstal said it appears the “vast majority” of the state’s banks will be in compliance, based on informal surveys he has taken of various groups of bankers.

“From our examination of Iowa state-chartered banks, we think their Web sites are overwhelmingly being managed correctly, and we think this will add an additional layer to that,” he said. “We think the banks will be able to comply with it.”

Principal Bank has been phasing in its upgraded log-in procedures to customers since November, said Barrie Christman, the bank’s president and CEO.

“We’ve been very pleasantly surprised; we’ve had very few calls,” said Christman, who said banks that introduced the changes more quickly found they were overwhelmed with customers’ telephone inquiries.

Principal Bank’s security upgrades, which were part of a planned comprehensive update of its system, include a customer-selected icon and phrase that appears upon signing in. If a person signs in from an unfamiliar computer, the system recognizes that and asks a security question before allowing the log-in.

Bankers Trust Co. also upgraded its online banking system in November, said Aletha Gabbert, an assistant vice president for operations and administration with the bank.

“Bankers Trust is very big on doing whatever we can to protect our customers’ information,” she said. “Previously, these types of solutions weren’t readily available from vendors. Now that they are, we’re accessing them and putting them into place.”

Each customer has been asked to register the computers he or she will be using, which results in a “cookie” being sent to those machines to identify them on subsequent log-ins. As with Principal’s system, if a user signs in from an unregistered computer, he or she must answer a challenge question.

Gabbert said most customers have been receptive to the additional security. In one instance, however, a customer’s computer did not accept cookies, which meant the customer had to answer a security question at each log-in.

“My understanding is that our vendor, Digital Insight, is looking at other ways of storing that information, so that customers don’t have to do that,” she said.

For added security, the technology exists for banking customers to be issued key-sized electronic tokens that plug into their computers’ USB ports. A variation of that device can even generate a one-time password. However, it appears few banks are moving in that direction.

“It’s cumbersome for the customer,” said Christman, who said Principal Bank considered the option but decided it wasn’t necessary. “Most customers deal with more than one institution; we don’t think it’s a customer-friendly solution.” However, the bank hasn’t ruled out using such a system in the future if it becomes necessary, she said.

Kevin Mukri, a spokesman for the Office of the Comptroller of the Currency, a federal agency that regulates national banks, said knowing where to draw the line between security and customer convenience can be difficult.

“But that’s the job of the regulator, of course, with a lot of input from the industry and the customer,” he said, noting that regulators conduct ongoing outreach meetings with consumer groups on the topic. “Participation by everyone in this is important. We need people’s input on how to do this.”

Banks and their regulators typically have long histories of working together, so the regulatory agencies will be familiar with the institutions as they begin evaluating them using the new guidelines, Mukri said.

“The bottom line is, people should feel confident that their money is going to be safe and sound and that they’re going to have access to it,” he said.