Last October, the Federal Financial Institutions Examination Council (FFIEC) issued an update to its 2001 report entitled \u201cAuthentication in an Electronic Banking Environment.\u201d The 2005 report recognizes the rapid technological changes and the increasing opportunities for fraud that affect today\u2019s online transactions.The council\u2019s member agencies, among which are the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA), are calling for stronger authentication controls to be in place by year-end. According to the report, \u201cThe agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.\u201dSingle-factor authentication is typically a username and password combination. Lately it has come under criticism as a security measure because it is easy for hackers and other miscreants to defeat. Multi-factor authentication adds a second or third means to verify the user of an online system. It might include something you or your computer have, such as a token or digital certificate, or something you are, such as a physical characteristic like a fingerprint.The updated FFIEC guidelines allow a lot of leeway, saying \u201cWhere risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multi-factor authentication, layered security, or other controls reasonably calculated to mitigate those risks.\u201dWhile the report offers no specifics on how to assess or mitigate the risks posed by single-factor authentication, the agencies\u2019 constituents face oversight and examinations beginning in 2007 to ensure compliance with agency directives.For network managers and security officers at banks, credit unions, thrift institutions and other financial services companies, the time is now to team up with the line of business managers to assess the risks and determine and select the policies, procedures and technologies to be implemented ahead of the year-end deadline.Bruce Cundiff, research analyst with Javelin Strategy & Research, recently published a report about strong user authentication aimed at the banking industry. Cundiff says there are three paths that financial organizations can take. \u201cBanks can take the \u2018compliance\u2019 path and simply do the bare minimum to comply with the recommendations,\u201d he says. \u201cOr, they can take the \u2018protection\u2019 path to protect their assets and reputation.\u201dCundiff points out that banks have made a very large investment to bring customers to the online channel, and a security problem could lead to a confidence crisis and abandonment of conducting business online. \u201cWe believe that most banks will focus on the \u2018protection\u2019 path for now,\u201d says Cundiff.The third path is \u201cexpansion,\u201d whereby banks use their extra online security measures as a competitive advantage. He says that Bank of America is the only major U.S. bank in this category today, but others are preparing to enter this phase. \u201cBank of America is looking to be a market leader in online security, and the company has made it mandatory for consumers to adopt the additional safety methods,\u201d says Cundiff.In conducting their research, Javelin analysts created a model to assess the different technologies available to increase online security. Financial institutions can use this model to determine which technologies and procedures would work best within the bounds of the current IT infrastructure to meet customer needs.\u201cOne of the top issues we consider when looking at technology is the affordability of it,\u201d says Cundiff. While customers expect good security from their bank, they don\u2019t think it should cost extra. \u201cThe institution needs to evaluate a security method or technology based on the deployment cost, the evolution cost \u2013 what it takes to maintain that solution, and the exit cost \u2013 how much to abandon that solution to move to something else.\u201dA second consideration is customer usability and the likelihood of adoption. \u201cConsumers are more willing to use something simple such as digital certification or device recognition rather than a physical token, or something they have to carry with them,\u201d according to Cundiff. \u201cBanks don\u2019t want to put up a hurdle that will keep customers from using the online service.\u201dA third aspect of technology assessment has to be the effectiveness of the solution. \u201cWe evaluate technology based on what the known problems are,\u201d says Cundiff. \u201cIn the online financial world, in terms of customer authentication, we\u2019re concerned with phishing, keystroke loggers, site spoofing, Trojans and viruses, and so on. These are some of the prime methods that thieves can use to steal identities or gain access to account information.\u201d The FDIC refers to these methods as \u201caccount hijacking.\u201dNext week we\u2019ll look at some of the solutions that floated to the top in the Javelin study and who is using them already.