FFIEC: Second Thoughts on Second Factors

Seven ways in which the new FFIEC strong-authentication standard isn't quite what it appears to be

Last October, a relatively obscure government body called the Federal Financial Institutions Examination Council, or FFIEC, issued what it called guidance but which looks much like a mandate. Starting in January 2007, financial institutions must provide consumers of online financial services with the same security protection enjoyed by customers buying groceries or gas with a debit card: strong authentication.

Strong means two or more types of identity verification in return for access. At the grocery store or gas station, those two factors are usually a piece of plastic and a passcode. Online banking, on the other hand, still primarily works with "weak" single-factor authentication: a password.

The mandate's prosaic title, "Authentication in an Internet Banking Environment," belies the spirit of the thing. The guidance is meant to be consequential, to take a McGruffian bite out of online crime. (To learn about online retailers' anti-fraud efforts, see Choke Point.) And on the surface it appears that forcing banks to add a second factor of authentication could improve the well-documented, rapidly deteriorating state of online security.

But on second thought, maybe not. Scrutinizing the document itself, and the world into which it's being introduced, creates a more complex and less settled picture. It's not clear, for example, that a second factor will significantly reduce "modern" risks; we could be preparing for the next war by planning for the last one. It's also unclear if financial companies can balance the cost of scaling two-factor authentication for the masses versus the benefit of whatever risk reduction it might provide. It's not even clear what form of second-factor authentication makes sense for banks to use, or if they actually need to adopt a second factor at all under the terms of the mandate.

What's more, some security experts argue that mandates like this don't reduce risk, they just move it. The FFIEC guidance is the latest incarnation of a security truism: Threats don't disappear, they migrate, or else over time they mutate to overcome the defenses deployed against them. Sometimes they do so menacingly, like a bird flu, into another exploitable vulnerabilityappearing rapidly and with dire consequences.

Despite all that, the reaction to the FFIEC guidance so far has been muted, generating little publicity or news coverage and sparking neither praise nor criticism. Few consumer or technology interest groups have commented publicly. Consumers themselvesthe constituency most directly targeted for protection herehardly know that the guidance exists.

Banks, of course, know it existsparticularly security officers and their information security staffs. Most expected something like this; some were planning two-factor authentication initiatives anyway. The only thing that surprised them was the deadline. "It used to be, 'Banks need to do more, banks need to do more,'" says Eric Bangerter, director of Internet services at the University of Wisconsin Credit Union (UWCU). In this case, however, he says the message was "'Do it by the end of 2006.' I thought that kind of firmness [was] new."

In this article, CSO takes a fresh look at the FFIEC guidance. We examine seven assumptions undergirding it and raise some second thoughts about its origins, what it's meant to accomplish and how it might fare in the real world, where threats are constantly moving and where as fast as the dike is thumbed it springs new leaks.

Conventional Wisdom

Consumer outrage is driving adoption of two-factor authentication.

On Second Thought

The FFIEC was reacting to market forces, not consumer outrage.

The timing of the FFIEC mandate could lead one to assume that it was in direct response to the recent scads of identity thefts and online financial frauds. But that was only a minor factor, according to Michael Jackson, associate director of the Federal Deposit Insurance Corporation and chairman of the FFIEC IT subcommittee that drafted the two-factor guidance.

Fear that security worries were causing people to abandon Internet banking (or the Internet altogether) did not weigh all that heavily in Jackson's work. Nor did a prevailing belief that banks had failed to secure their customers. In fact, Jackson believes, banks have done reasonably well securing online transactions, given the available technologythough that is hardly a consensus opinion. But for Jackson, it's the key. "Mostly this was about changes in technology solutions," he says. "The industry has matured enough where options are available." In other words, the FFIEC decided that authentication technology was finally good enough to justify a more forceful approach.

The October 2005 guidance actually updates guidance issued in August 2001a time when online banking was neonatalwhich suggested banks use risk management to gauge what would be needed to make online banking safe. The risk management prescribed in the 2001 guidance is similar to that proposed in the 2005 version.

Two-factor authentication certainly existed in 2001, but it was neither scalable for mass deployment nor acceptable to consumers. Now, Jackson says, both of those criteria can be met. (Part of the technology's tolerability isn't a change in technology so much as a change in the consumer mindset to be more willing to trade a little annoyance for better security.)

Bangerter at UWCU says, "We've been looking at some form of second-factor authentication since 2002, and it's taken this long to find the right product."

That the FFIEC was unmoved by recent spikes in online crime could be viewed as encouraging. Regulation born from the outrage fanned by current events often fails. The architects of the FFIEC guidance, however, divorced themselves from emotion and made sure the change could be absorbed by the marketplace.

Conventional Wisdom

Create an ironclad mandate compelling two-factor authentication.

On Second Thought

There's wiggle room. Technically, the FFIEC doesn't explicitly mandate two-factor authentication.

The verbatim FFIEC prescription states, "Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security or other controls reasonably calculated to mitigate those risks."

That's enough wiggle room for a conga line.

Here's why: There are three kinds of authentication factors: something you know (a PIN, a password, your mother's maiden name, a picture of your dog); something you have (a key fob, a token, a scratch card, a swipe card); and something you are (revealed through a fingerprint, blood vessels in your retina, handwriting, a pattern of behavior).

True two-factor authentication requires the person authenticating to provide two different factors. That is, something you know and something you are, or something you have and something you know, and so forth. Using the same factor twice is not multifactor authentication; it's layered security. Recently, my cable TV wasn't working. On the phone I had to provide my name, address, phone number, a PIN and an account number to get support. This is single-factor authenticationsomething I knowfive times over, required to get HBO working.

Though layered security is more robust than single-factor (just a password), it is less secure than multifactor authentication. But layered security would require less investment by banks, possibly lower deployment and maintenance costs, and less consumer training than true two-factor authentication. Many consumers already use layered security without even realizing it. For example, starting a car requires the dongle that unlocks it and the ignition keysomething you have times two.

By adding layered security (and the even more equivocal "or other controls") as an option, the FFIEC is inviting enterprising security and risk managers to come up with something other than two-factor authentication that is demonstrably good enough. Some observers suggest that added security measures wouldn't necessarily have to be authentication-based to pass muster with the FFIEC, so long as risks are shown to be reduced.

Still, two-factor authentication might prevail. Why? Because the effort to parse transactions into those whose risk levels do and do not call for two-factor authentication may be more work than it's worth if even a small number are risky enough to require it anyway.

Furthermore, two-factor authentication is an obvious marketing opportunity. Says Tom Robertson, senior vice president and manager of IT at Charter Bank in Bellevue, Wash., "Surveys say people trust banks most with their information. Any smart bank won't skimp on that reputation."

As long as it's not too inconvenient for the consumer, or too expensive for the bank, two-factor authentication will wineven if one-factor would demonstrably reduce the risk just fine.

Conventional Wisdom

Force online banking to adopt an unfamiliar new technology.

On Second Thought

Banks already know how to do two-factor authentication, they just don't know how to scale it for the masses.

When a bank customer wants to move, say, a million dollars, banks already use two or more factors to execute the transaction. In such cases, two-factor's expense is easily justified, and customers are hardly annoyed at having to do a little more to keep all that money safe.

One way to look at the FFIEC guidance is as something that simply pushes down the definition of what's risky so that it applies to many more transactions. Or, put more optimistically, it helps a market grow by creating consumer confidence where too little existed before.

For example, allowing customers to change their own addresses online is ill-advised under single-factor authentication. With stronger authentication, UWCU's Bangerter says he can offer real-time change-of-address types of services online. "There have been some things we've wanted to do online but weren't comfortable with. Now we can start doing some damage"meaning marketing damage, by attracting new customers"with new applications online because we feel it's safer."

It won't be free for the banks, though. It was easy to cost-justify two-factor authentication for large transactions because banks do relatively few of them. Now, tens of millions of transactions will require those same, more complicated controls, and no one is sure how to scale up to a mass-market level.

For example, say a bank decides on a smart card as a second factor of authentication. How much do the cardsand the devices to read themcost? How much to train consumers to use them? What about replacing lost, stolen or damaged cards? The question for banks is can they find a second authentication method whose costsfinancial and otherwisecan be justified against the risk reduction achieved?

Conventional Wisdom

The end of 2006 is a reasonable compliance deadline.

On Second Thought

Actually, December 2006 is cutting it a little close.

Bangerter thinks UWCU will meet the FFIEC deadline, but that's partly because he started planning for two-factor authentication three years ago. On the other hand, Gerald Rome, director of IT at First American Bank & Trust in Vacherie, La., started planning a few months ago. He believes meeting the deadline will be a challenge, especially for community banks.

Since the FFIEC endorses no single approach to two-factor authentication, a bank that hadn't planned for it must evaluate several kinds of technology, choose the one it thinks is best (or the one it thinks consumers will accept), test it, deploy it, market it, train consumers on it and then maintain it. All in a year.

"This [effort] is really burdensome to community banks," says Rome. "To compete we have to give away Internet banking for free, and online bill-paying for free. You can't add this and keep doing everything for free."

Add to this the fact that vendors of two-factor authentication technology are relatively small with a relatively huge market to serve. Two of the larger vendors are Axalto, a smart-card company with about a billion dollars in revenuemost of it from Europe, where smart cards are more accepted than in this country (Axalto's revenue in the Americas is growing rapidly and expected to surpass $200 million this year); and RSA, a well-established $300 million company that reported shipping 500,000 consumer-related tokens in Q4 of last year. Two others are Corillian and PassMark. PassMark is privately held, funded by VCs and private investors. Corillian is a $50 million company with about 270 employees. Another vendor, FundsXpress, is growing fast but only achieved positive cash flow in 2004.

Can these kinds of companies support the thousands of banks that must comply with the FFIEC guidance by December? Even PassMark's director of sales isn't sure. "With regard to the deadline, it will be a challenge, but not insurmountable," says Steve Klebe, director of sales and business development. Klebe puts the odds at "about 50/50." On the other hand, Jim Maloney, security chief at Corillian, thinks the deadline can be met. He says that using Corillian's methods of authentication, which don't involve tokens or consumer PC upgrades, should take a small bank two to three months to upgrade infrastructure and a large bank four to six months.

1 2 Page
Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies