The Federal Financial Institutions Examination Council's (FFIEC) new guidelines requiring two-factor authentication
for Web-based banking and financial transactions and their October follow-up recommendation for increased online security in 2006, has caused a lot of concern in the financial world. The panic and confusion stems, not from the definition of two-factor authentication, but its implementation. Let's start by explaining the standard definition of two-factor authentication and compare it with the FFIEC's view.
To information security professionals, authentication can consist of any of three simple factors:
1.) Something you know. This is a user ID and password or challenge-response questions, such as asking your mother's maiden name, favorite color or some other user-created question.
2.) Something you have. This is something you physically carry that contains your authentication credentials, such as a smart card, token or device.
3.) Something you are. These methods are a little more personal and include biometric devices that check a particular physical characteristic, such as a fingerprint, face or even the shape of their iris, before granting access.
Typically, two-factor authentication is any of the above two combined. Some examples would be a user ID and password used with a smart card reader, a one-time password token used with a fingerprint scanner, or an ATM card with a PIN. While the FFIEC agrees with the standard definitions of two-factor authentication and accurately outlines them in its document, some of its recommendations for implementation don't fit the mold of widely-accepted methods of two-factor authentication.
The FFIEC's directive describes out-of-band authentication, mutual authentication and Internet Protocol Address location as acceptable two-factor authentication systems. This confuses the issue, since these aren't authentication systems, let alone two-factor ones, by any definition described above. These systems don't verify users. They check for fraudulent transactions, verify the identity of the bank to the online customer, or confirm the user is logging on from their own computer – in other words, they verify the computer, rather than the user.
This means a host of products that don't authenticate users could meet the FFIEC's two-factor criteria. And, although the FFIEC doesn't endorse any particular company's product or technology, fraud detection products and digital watermarks could meet the standard under their definition.
So, how is a financial institution supposed to comply amidst this confusion? Is the FFIEC directive about fraud or authentication? It seems to mix both in the name of authentication.
Remember, above all, the directive recommends that the decision to use two-factor authentication be risk-based. So, do a thorough risk analysis of your banking Web site first. Ask yourself questions about the size and type of transactions. Are they high in value? Can customers transfer funds from their account to another bank or financial institution? Could a malicious user potentially transfer funds or drain a legitimate customer's account?
Also, before fingerprinting your customers or measuring their irises, determine exactly what your vulnerabilities and risks are, document them and then, if required, choose your two-factor implementation accordingly. It may not be what you had originally expected, and it may still satisfy the FFIEC.
About the author
Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He specializes in Web and application security and is the author of The Little Black Book of Computer Security available from Amazon.