Will implementing two-factor authentication satisfy FFIEC requirements?

Considering implementing two-factor authentication to comply with the FFIEC guidance; read this Identity Management and Access Control Q&A. Our resident expert explains why financial institutions must use two-factor authentication methods by 2007 and reveals how two-factor authentication and multi-layered authentication methods differ.

Why are some banks requiring customers to have a second password when logging in to their accounts online? If one password is insecure, why would having multiple passwords be more secure?

Most banks are requiring users to provide a second password because they now need to comply with guidance issued in October 2005 by the Federal Financial Institutions Examination Council ( FFIEC), recommending that banks offering online banking services implement and use two-factor authentication by January 2007. The FFIEC issued the guidance based on a report from the FDIC in 2004, stating that user IDs and passwords alone (single-factor authentication) was inadequate for online banking. The FDIC report outlined how passwords were weak and could be easily cracked, whether by password-stealing Trojans dropped on desktops or malicious shoulder surfers ogling your password.

While simply requiring a second password closely resembles two-factor authentication, it technically isn't, but it does meet the FFIEC's standards. To clear up the confusion and clarify the intent of the guidelines, let's review what two-factor authentication is.

Download this free guide

6 reasons why data protection is essential for all businesses

Read this e-guide to discover why exactly data protection has become an absolute essential for all businesses. Learn about the huge fines and repercussions of non-compliance as well as the reputational damage caused by data breaches.

Corporate E-mail Address:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

In information security, there are three factors for authentication: something you know (user ID and password), something you have (a smart card or one-time password token) or something you are (a physical characteristic, such as a fingerprint, voice or face). Combining two of these factors creates two-factor authentication. The intent is to provide an extra layer of security, so if one factor is broken there's a second locked door that a malicious attacker would also have to breach to gain access.

As you may have gathered, second passwords, even when disguised as a secret question or a graphic, aren't true two-factor authentication methods. But here's the rub. The FFIEC guidance also states that online banks can use multi-layered authentication, which is a little different than two-factor authentication. This means the FFIEC considers anti-fraud systems and additional passwords as multi-layered authentication.

MORE INFORMATION:

Learn more about the FFIEC's guidance.
Visit our All-in-One Guide and learn how to maximize your complianceefforts.

This was last published in August 2006

Read more on Identity and access management products

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.