The product is owned by RSA Data Security which in 2006 acquired its original maker, Passmark Security.
How it works
- User identifies (not authenticates) himself to the site by entering his username (but not his password). If the username is a valid one the site proceeds.
- If the user's browser does not contain a client-side state token (such as a Web cookie or a Flash cookie) from a previous visit, the user is prompted for answers to the "security questions" the user specified at site sign-up time, such as "Which school did you last attend?"
- Site authenticates itself to the user by displaying an image and/or accompanying phrase that he has earlier configured. If the user does not recognize them as his own, he is to assume the site is a phishing site and immediately abandon it. If he does recognize them, he may consider the site authentic and proceed.
- User authenticates himself to the site by entering his password. If the password is not valid for that username, the whole process begins again. If it is valid, the user is considered authenticated and logged in.
If the user is at a phishing site with a different Web site domain than the legitimate domain, the user's browser will refuse to send the state token in step (2); the phishing site owner will either need to skip displaying the correct security image, or prompt the user for security questions and pass on the answers to the legitimate domain. In theory, this could cause the user to become suspicious, since the user might be surprised to be re-prompted for security questions even if they have used the legitimate domain from their browser recently. However, in practice, there is evidence users generally fail to notice such anomalies.
A Harvard study found SiteKey 97% ineffective. In practice, real people don't notice, or don't care, when the SiteKey is missing, according to their results.
SiteKey is designed to prevent users from disclosing their login credentials to a phishing site. The rationale is that a phishing site wouldn't have the SiteKey info for a user. The obvious flaw in the design is that a phishing site can get the correct SiteKey info from the genuine site, then serve it to the user, "proving" its legitimacy. SiteKey is thus susceptible to a man-in-the-middle attack.
It also requires users to keep track of more authentication information. Someone associated with N different websites that use SiteKey must remember N different 4-tuples of information: (site, username, phrase, password).
In May 2015, Bank of America announced that SiteKey would be discontinued for all users by the end of the year, and would allow users to login with their username and password in one step. 
- Security study pokes holes in advanced authentication claims
- The Emperor's New Security Indicators