Financial institutions consider multi-factor authentication, Part 1

Last October, the Federal Financial Institutions Examination Council (FFIEC) issued an update to its 2001 report entitled “Authentication in an Electronic Banking Environment.” The 2005 report recognizes the rapid technological changes and the increasing opportunities for fraud that affect today’s online transactions.

The council’s member agencies, among which are the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA), are calling for stronger authentication controls to be in place by year-end. According to the report, “The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.”

Single-factor authentication is typically a username and password combination. Lately it has come under criticism as a security measure because it is easy for hackers and other miscreants to defeat. Multi-factor authentication adds a second or third means to verify the user of an online system. It might include something you or your computer have, such as a token or digital certificate, or something you are, such as a physical characteristic like a fingerprint.

The updated FFIEC guidelines allow a lot of leeway, saying “Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multi-factor authentication, layered security, or other controls reasonably calculated to mitigate those risks.”

While the report offers no specifics on how to assess or mitigate the risks posed by single-factor authentication, the agencies’ constituents face oversight and examinations beginning in 2007 to ensure compliance with agency directives.

For network managers and security officers at banks, credit unions, thrift institutions and other financial services companies, the time is now to team up with the line of business managers to assess the risks and determine and select the policies, procedures and technologies to be implemented ahead of the year-end deadline.

Bruce Cundiff, research analyst with Javelin Strategy & Research, recently published a report about strong user authentication aimed at the banking industry. Cundiff says there are three paths that financial organizations can take. “Banks can take the ‘compliance’ path and simply do the bare minimum to comply with the recommendations,” he says. “Or, they can take the ‘protection’ path to protect their assets and reputation.”

Cundiff points out that banks have made a very large investment to bring customers to the online channel, and a security problem could lead to a confidence crisis and abandonment of conducting business online. “We believe that most banks will focus on the ‘protection’ path for now,” says Cundiff.

The third path is “expansion,” whereby banks use their extra online security measures as a competitive advantage. He says that Bank of America is the only major U.S. bank in this category today, but others are preparing to enter this phase. “Bank of America is looking to be a market leader in online security, and the company has made it mandatory for consumers to adopt the additional safety methods,” says Cundiff.

In conducting their research, Javelin analysts created a model to assess the different technologies available to increase online security. Financial institutions can use this model to determine which technologies and procedures would work best within the bounds of the current IT infrastructure to meet customer needs.

“One of the top issues we consider when looking at technology is the affordability of it,” says Cundiff. While customers expect good security from their bank, they don’t think it should cost extra. “The institution needs to evaluate a security method or technology based on the deployment cost, the evolution cost – what it takes to maintain that solution, and the exit cost – how much to abandon that solution to move to something else.”

A second consideration is customer usability and the likelihood of adoption. “Consumers are more willing to use something simple such as digital certification or device recognition rather than a physical token, or something they have to carry with them,” according to Cundiff. “Banks don’t want to put up a hurdle that will keep customers from using the online service.”

A third aspect of technology assessment has to be the effectiveness of the solution. “We evaluate technology based on what the known problems are,” says Cundiff. “In the online financial world, in terms of customer authentication, we’re concerned with phishing, keystroke loggers, site spoofing, Trojans and viruses, and so on. These are some of the prime methods that thieves can use to steal identities or gain access to account information.” The FDIC refers to these methods as “account hijacking.”

Next week we’ll look at some of the solutions that floated to the top in the Javelin study and who is using them already.