Will implementing two-factor authentication satisfy FFIEC requirements?
Considering implementing two-factor authentication to comply with the FFIEC guidance; read this Identity Management and Access Control Q&A. Our resident expert explains why financial institutions must use two-factor authentication methods by 2007 and reveals how two-factor authentication and multi-layered authentication methods differ.
While simply requiring a second password closely resembles two-factor authentication, it technically isn't, but it does meet the FFIEC's standards. To clear up the confusion and clarify the intent of the guidelines, let's review what two-factor authentication is.
In information security, there are three factors for authentication: something you know (user ID and password), something you have (a smart card or one-time password token) or something you are (a physical characteristic, such as a fingerprint, voice or face). Combining two of these factors creates two-factor authentication. The intent is to provide an extra layer of security, so if one factor is broken there's a second locked door that a malicious attacker would also have to breach to gain access.
As you may have gathered, second passwords, even when disguised as a secret question or a graphic, aren't true two-factor authentication methods. But here's the rub. The FFIEC guidance also states that online banks can use multi-layered authentication, which is a little different than two-factor authentication. This means the FFIEC considers anti-fraud systems and additional passwords as multi-layered authentication.
MORE INFORMATION:
- Learn more about the FFIEC's guidance.
- Visit our All-in-One Guide and learn how to maximize your complianceefforts.