While simply requiring a second password closely resembles two-factor authentication, it technically isn't, but it does meet the FFIEC's standards. To clear up the confusion and clarify the intent of the guidelines, let's review what two-factor authentication is.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
In information security, there are three factors for authentication: something you know (user ID and password), something you have (a smart card or one-time password token) or something you are (a physical characteristic, such as a fingerprint, voice or face). Combining two of these factors creates two-factor authentication. The intent is to provide an extra layer of security, so if one factor is broken there's a second locked door that a malicious attacker would also have to breach to gain access.
As you may have gathered, second passwords, even when disguised as a secret question or a graphic, aren't true two-factor authentication methods. But here's the rub. The FFIEC guidance also states that online banks can use multi-layered authentication, which is a little different than two-factor authentication. This means the FFIEC considers anti-fraud systems and additional passwords as multi-layered authentication.