Digital ID World attendees raise concerns over security guidelines for banks

There were a surprisingly large number of interesting comments and insights that came out of last week’s Digital ID World – Financial Services conference in New York. The primary topic of conversation, of course, was the recently promulgated guidelines for strong authentication for online banking authored by the Federal Financial Institutions Examination Council (FFIEC), officially titled “Authentication in an Internet Banking Environment”. You can read the council’s announcement in its press release or download a PDF of the guidance document.

In a newsletter a couple of week’s ago, I mentioned how security token vendors were quick to point out that their products were “just the thing” to satisfy the guidelines. But as was pointed out by Forrester Research analyst Jonathan Penn and Michael Barrett, vice president, Security Strategy and Architecture for American Express and the former president of Liberty Alliance, the guidelines not only fail to specify using tokens as a second authentication factor – they don’t even mandate using multiple factors. True, multi-factor authentication is strongly suggested, but only for those transactions deemed significant. Instead, the whole thrust of the guidelines is that banks should consider seriously how to mitigate any risks that are involved in the way they are handling online authentication and presentation of data.

One speaker at Digital ID World even pointed out that multi-factor authentication isn’t necessarily the same as multi-mode authentication, where “mode” refers to the traditional three methods: something you know (password), something you have (token) or something you are (biometric). IP address or geolocation (i.e., some place you are) could also be a factor.

Another speaker raised the specter of users with multiple online accounts (e.g., I have online accounts with almost a dozen financial institutions) having to wear a necklace to hold all of the “key chain” type tokens that companies like RSA and Vasco are promoting for institutions to issue to satisfy the guidelines.

While digesting all of that – and the guidelines themselves – we might all keep in mind a simile that another attendee told me about. We were talking about the benefits of building in authentication security from within an application as opposed to adding it on as a wrapper or a totally different app. “Add-on security,” she said, “is like putting a padlock on a split rail fence. It keeps the cows in, but it doesn’t keep the rustlers out.” That’s food for thought.