Home » Identity & Access » Access Control

FFIEC: Second Thoughts on Second Factors

Seven ways in which the new FFIEC strong-authentication standard isn't quite what it appears to be

February 01, 2006 — CSO — Last October, a relatively obscure government body called the Federal Financial Institutions Examination Council, or FFIEC, issued what it called guidance but which looks much like a mandate. Starting in January 2007, financial institutions must provide consumers of online financial services with the same security protection enjoyed by customers buying groceries or gas with a debit card: strong authentication.

Strong means two or more types of identity verification in return for access. At the grocery store or gas station, those two factors are usually a piece of plastic and a passcode. Online banking, on the other hand, still primarily works with "weak" single-factor authentication: a password.

The mandate's prosaic title, "Authentication in an Internet Banking Environment," belies the spirit of the thing. The guidance is meant to be consequential, to take a McGruffian bite out of online crime. (To learn about online retailers' anti-fraud efforts, see Choke Point.) And on the surface it appears that forcing banks to add a second factor of authentication could improve the well-documented, rapidly deteriorating state of online security.

But on second thought, maybe not. Scrutinizing the document itself, and the world into which it's being introduced, creates a more complex and less settled picture. It's not clear, for example, that a second factor will significantly reduce "modern" risks; we could be preparing for the next war by planning for the last one. It's also unclear if financial companies can balance the cost of scaling two-factor authentication for the masses versus the benefit of whatever risk reduction it might provide. It's not even clear what form of second-factor authentication makes sense for banks to use, or if they actually need to adopt a second factor at all under the terms of the mandate.

What's more, some security experts argue that mandates like this don't reduce risk, they just move it. The FFIEC guidance is the latest incarnation of a security truism: Threats don't disappear, they migrate, or else over time they mutate to overcome the defenses deployed against them. Sometimes they do so menacingly, like a bird flu, into another exploitable vulnerabilityâ¬appearing rapidly and with dire consequences.

Despite all that, the reaction to the FFIEC guidance so far has been muted, generating little publicity or news coverage and sparking neither praise nor criticism. Few consumer or technology interest groups have commented publicly. Consumers themselvesâ¬the constituency most directly targeted for protection hereâ¬hardly know that the guidance exists.

Banks, of course, know it existsâ¬particularly security officers and their information security staffs. Most expected something like this; some were planning two-factor authentication initiatives anyway. The only thing that surprised them was the deadline. "It used to be, 'Banks need to do more, banks need to do more,'" says Eric Bangerter, director of Internet services at the University of Wisconsin Credit Union (UWCU). In this case, however, he says the message was "'Do it by the end of 2006.' I thought that kind of firmness [was] new."