Will implementing two-factor authentication satisfy FFIEC requirements?

Considering implementing two-factor authentication to comply with the FFIEC guidance; read this Identity Management and Access Control Q&A. Our resident expert explains why financial institutions must use two-factor authentication methods by 2007 and reveals how two-factor authentication and multi-layered authentication methods differ.

Published: 07 Aug 2006

Why are some banks requiring customers to have a second password when logging in to their accounts online? If one password is insecure, why would having multiple passwords be more secure?

Most banks are requiring users to provide a second password because they now need to comply with guidance issued in October 2005 by the Federal Financial Institutions Examination Council (FFIEC), recommending that banks offering online banking services implement and use two-factor authentication by January 2007. The FFIEC issued the guidance based on a report from the FDIC in 2004, stating that user IDs and passwords alone (single-factor authentication) was inadequate for online banking. The FDIC report outlined how passwords were weak and could be easily cracked, whether by password-stealing Trojans dropped on desktops or malicious shoulder surfers ogling your password.

While simply requiring a second password closely resembles two-factor authentication, it technically isn't, but it does meet the FFIEC's standards. To clear up the confusion and clarify the intent of the guidelines, let's review what two-factor authentication is.

In information security, there are three factors for authentication: something you know (user ID and password), something you have (a smart card or one-time password token) or something you are (a physical characteristic, such as a fingerprint, voice or face). Combining two of these factors creates two-factor authentication. The intent is to provide an extra layer of security, so if one factor is broken there's a second locked door that a malicious attacker would also have to breach to gain access.

As you may have gathered, second passwords, even when disguised as a secret question or a graphic, aren't true two-factor authentication methods. But here's the rub. The FFIEC guidance also states that online banks can use multi-layered authentication, which is a little different than two-factor authentication. This means the FFIEC considers anti-fraud systems and additional passwords as multi-layered authentication.

MORE INFORMATION:

Learn more about the FFIEC's guidance.
Visit our All-in-One Guide and learn how to maximize your complianceefforts.

Will implementing two-factor authentication satisfy FFIEC requirements?

Read more on Identity and access management products

Experts say NIST deprecating SMS 2FA is long overdue

What do organizations need to know about the final FFIEC guidance?

multifactor authentication (MFA)

Second factor authentication (2FA) solutions: Evaluation, FAQs & more

SearchCIO

Texas power outage flags need to revisit business continuity

4 ways to measure digital experience to drive tech optimization

Calculating cloud migration costs: What CIOs need to consider

SearchSecurity

6 ways to prevent cybersecurity burnout

Risk & Repeat: Inside the SolarWinds Senate hearing

Vastaamo breach, bankruptcy indicate troubling trend

SearchNetworking

5 steps to conduct network penetration testing

5 benefits of Wi-Fi 6 for enterprise networks

Get started with network penetration testing for beginners

SearchDataCenter

CRAC design upgrades simplify HVAC maintenance

IBM leans on Red Hat to adapt Power servers for hybrid cloud

Private cloud certificates to build up your tech skills

SearchDataManagement

Open source database migration guide: How to transition

DataStax Astra serverless DBaaS optimizes deployments

AWS Data Exchange and the third-party cloud data marketplace