Home » Identity & Access » Access Control

FFIEC: Second Thoughts on Second Factors

Seven ways in which the new FFIEC strong-authentication standard isn't quite what it appears to be

» add a comment

By Scott Berinato

Page 3

Conventional Wisdom

Create an ironclad mandate compelling two-factor authentication.

On Second Thought

There's wiggle room. Technically, the FFIEC doesn't explicitly mandate two-factor authentication.

The verbatim FFIEC prescription states, "Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security or other controls reasonably calculated to mitigate those risks."

That's enough wiggle room for a conga line.

Here's why: There are three kinds of authentication factors: something you know (a PIN, a password, your mother's maiden name, a picture of your dog); something you have (a key fob, a token, a scratch card, a swipe card); and something you are (revealed through a fingerprint, blood vessels in your retina, handwriting, a pattern of behavior).

True two-factor authentication requires the person authenticating to provide two different factors. That is, something you know and something you are, or something you have and something you know, and so forth. Using the same factor twice is not multifactor authentication; it's layered security. Recently, my cable TV wasn't working. On the phone I had to provide my name, address, phone number, a PIN and an account number to get support. This is single-factor authenticationâ¬something I knowâ¬five times over, required to get HBO working.

Though layered security is more robust than single-factor (just a password), it is less secure than multifactor authentication. But layered security would require less investment by banks, possibly lower deployment and maintenance costs, and less consumer training than true two-factor authentication. Many consumers already use layered security without even realizing it. For example, starting a car requires the dongle that unlocks it and the ignition keyâ¬something you have times two.

By adding layered security (and the even more equivocal "or other controls") as an option, the FFIEC is inviting enterprising security and risk managers to come up with something other than two-factor authentication that is demonstrably good enough. Some observers suggest that added security measures wouldn't necessarily have to be authentication-based to pass muster with the FFIEC, so long as risks are shown to be reduced.

Still, two-factor authentication might prevail. Why? Because the effort to parse transactions into those whose risk levels do and do not call for two-factor authentication may be more work than it's worth if even a small number are risky enough to require it anyway.

Furthermore, two-factor authentication is an obvious marketing opportunity. Says Tom Robertson, senior vice president and manager of IT at Charter Bank in Bellevue, Wash., "Surveys say people trust banks most with their information. Any smart bank won't skimp on that reputation."