The new "guidance" from the Federal Financial Institutions Examination Council (FFIEC) essentially says banks will...
need to have multifactor authentication for their online customers. Though multifactor technology exists and has been implemented elsewhere (e.g., Europe), the challenge I see is getting general acceptance from the everyday American bank customer.
We are a society wanting things fast without fuss, so adding an additional step to the customer's Web-based banking logon process may not go over well, not to mention trying to educate and explain the concept of multifactor authentication to most consumers will take time.
For the information security officer (ISO) or chief information security officer (CISO), the challenge is how to go about selecting and implementing a multifactor authentication product that interfaces significantly with the bank customers vs. an internal process.
On Oct 12, 2005, the FFIEC, the agency that develops standards for the Federal Reserve System, the FDIC and the nation's other financial organizations, issued new guidance (PDF) regarding authentication controls necessary to authenticate the identity of customers accessing online financial services. U.S. financial institutions will be expected to comply with these rules by the end of 2006. Essentially, the FFIEC all but said that single-factor authentication (e.g., the standard username/password process widely used today) is inadequate for online financial transactions.
The guidance states that banks and other affected financial institutions are expected to use "effective methods of authentication," based on risk, when verifying online customers. FFIEC further states that single-factor authentication, when used as the only control mechanism, is inadequate for high-risk transactions involving access to customer information or the movement of funds.
To determine the level of authentication controls needed, financial institutions should conduct risk-based assessments. Selection of the authentication mechanisms should then be based on the risk assessment for the types of online transactions being supported.
This new guidance attempts to raise the bar for Web-based authentication and address the increased risks posed by phishing, identify theft, online fraud and loss of confidential customer information. Account fraud and identity theft are frequently the result of single-factor authentication.
Discussion and approach
Though this is issued as a "guidance" -- that is, it is not necessarily an absolute regulatory requirement -- it is clear that before long, when it comes time to perform their annual regulatory compliance exams, regulatory authorities will no longer accept single-factor authentication as adequate control for online banking services.
My recommendation to financial institutions: It's best to just accept this as a regulatory requirement and move forward. There is no benefit in trying to wiggle out of it by trying to pass it off as a "low risk" issue – it'll just catch up to you later. Besides, from a marketing and public image perspective, you don't want to be the only bank on the block without equal or better protection than that of the competition.
Speaking of marketing, this is where I see the real challenge. How do you roll this out to your customers effectively without causing customer disgruntlement and backlash? There will undoubtedly be a need for a customer education process, if not a full-fledged awareness campaign put together carefully with the marketing group of your bank. Just trying to explain multifactor authentication to others is challenging even for those familiar with computers. It will take some thought and planning to provide a clear, well-organized customer education and communication campaign that aligns with the implementation of your new authentication system.
Additionally, the transition will require a financial institution to thoroughly know and understand its online customer base. Will they be resistant to two-factor authentication processes? Are they computer literate for the most part? Are they going to want a hardware token (USB token) to carry around all the time? Knowing customers and their preferences will help an organization select the appropriate technology solutions.
Another consideration here is that most people have accounts at other financial institutions, thus they will face multiple multifactor authentication processes. Will they end up with a pocket full of tokens of various sorts? So, the question is, what will best allow you to comply with the new guidance while satisfying your organization's customers?
If you are an information security professional facing this task, my strong recommendation is to get your marketing folks involved early on in this project. Include them in your risk assessments processes and product selections.
This will be an interesting and challenging year for financial institutions as they select and roll out their various multifactor authentication systems. The larger national and international banks are already moving forward with their efforts. The small to midsize banks will need to implement and keep up with the majors, which will be challenging as most products are not cheap. But then, the increasing identity theft and cyber fraud isn't cheap either!
Stay tuned to see what your bank rolls out for you!
Robert S. Childs, CISSP, CISM, CISA, is vice president and information security officer for First Community Bank in Albuquerque, N.M.