Home » Identity & Access » Access Control

FFIEC: Second Thoughts on Second Factors

Seven ways in which the new FFIEC strong-authentication standard isn't quite what it appears to be

In this article, CSO takes a fresh look at the FFIEC guidance. We examine seven assumptions undergirding it and raise some second thoughts about its origins, what it's meant to accomplish and how it might fare in the real world, where threats are constantly moving and where as fast as the dike is thumbed it springs new leaks.

Conventional Wisdom

Consumer outrage is driving adoption of two-factor authentication.

On Second Thought

The FFIEC was reacting to market forces, not consumer outrage.

The timing of the FFIEC mandate could lead one to assume that it was in direct response to the recent scads of identity thefts and online financial frauds. But that was only a minor factor, according to Michael Jackson, associate director of the Federal Deposit Insurance Corporation and chairman of the FFIEC IT subcommittee that drafted the two-factor guidance.

Fear that security worries were causing people to abandon Internet banking (or the Internet altogether) did not weigh all that heavily in Jackson's work. Nor did a prevailing belief that banks had failed to secure their customers. In fact, Jackson believes, banks have done reasonably well securing online transactions, given the available technologyâ¬though that is hardly a consensus opinion. But for Jackson, it's the key. "Mostly this was about changes in technology solutions," he says. "The industry has matured enough where options are available." In other words, the FFIEC decided that authentication technology was finally good enough to justify a more forceful approach.

The October 2005 guidance actually updates guidance issued in August 2001â¬a time when online banking was neonatalâ¬which suggested banks use risk management to gauge what would be needed to make online banking safe. The risk management prescribed in the 2001 guidance is similar to that proposed in the 2005 version.

Two-factor authentication certainly existed in 2001, but it was neither scalable for mass deployment nor acceptable to consumers. Now, Jackson says, both of those criteria can be met. (Part of the technology's tolerability isn't a change in technology so much as a change in the consumer mindset to be more willing to trade a little annoyance for better security.)

Bangerter at UWCU says, "We've been looking at some form of second-factor authentication since 2002, and it's taken this long to find the right product."

That the FFIEC was unmoved by recent spikes in online crime could be viewed as encouraging. Regulation born from the outrage fanned by current events often fails. The architects of the FFIEC guidance, however, divorced themselves from emotion and made sure the change could be absorbed by the marketplace.