Will implementing two-factor authentication satisfy FFIEC requirements?

Considering implementing two-factor authentication to comply with the FFIEC guidance; read this Identity Management and Access Control Q&A. Our resident expert explains why financial institutions must use two-factor authentication methods by 2007 and reveals how two-factor authentication and multi-layered authentication methods differ.

Why are some banks requiring customers to have a second password when logging in to their accounts online? If one password is insecure, why would having multiple passwords be more secure?
Most banks are requiring users to provide a second password because they now need to comply with guidance issued in October 2005 by the Federal Financial Institutions Examination Council ( FFIEC), recommending that banks offering online banking services implement and use two-factor authentication by January 2007. The FFIEC issued the guidance based on a report from the FDIC in 2004, stating that user IDs and passwords alone (single-factor authentication) was inadequate for online banking. The FDIC report outlined how passwords were weak and could be easily cracked, whether by password-stealing Trojans dropped on desktops or malicious shoulder surfers ogling your password.

While simply requiring a second password closely resembles two-factor authentication, it technically isn't, but it does meet the FFIEC's standards. To clear up the confusion and clarify the intent of the guidelines, let's review what two-factor authentication is.

In information security, there are three factors for authentication: something you know (user ID and password), something you have (a smart card or one-time password token) or something you are (a physical characteristic, such as a fingerprint, voice or face). Combining two of these factors creates two-factor authentication. The intent is to provide an extra layer of security, so if one factor is broken there's a second locked door that a malicious attacker would also have to breach to gain access.

As you may have gathered, second passwords, even when disguised as a secret question or a graphic, aren't true two-factor authentication methods. But here's the rub. The FFIEC guidance also states that online banks can use multi-layered authentication, which is a little different than two-factor authentication. This means the FFIEC considers anti-fraud systems and additional passwords as multi-layered authentication.


Read more on Identity and access management products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.