In Depth
FFIEC: Second Thoughts on Second Factors
Seven ways in which the new FFIEC strong-authentication standard isn't quite what it appears to be
By Scott Berinato
As long as it's not too inconvenient for the consumer, or too expensive for the bank, two-factor authentication will win⬠even if one-factor would demonstrably reduce the risk just fine.
Conventional Wisdom
Force online banking to adopt an unfamiliar new technology.
On Second Thought
Banks already know how to do two-factor authentication, they just don't know how to scale it for the masses.
When a bank customer wants to move, say, a million dollars, banks already use two or more factors to execute the transaction. In such cases, two-factor's expense is easily justified, and customers are hardly annoyed at having to do a little more to keep all that money safe.
One way to look at the FFIEC guidance is as something that simply pushes down the definition of what's risky so that it applies to many more transactions. Or, put more optimistically, it helps a market grow by creating consumer confidence where too little existed before.
For example, allowing customers to change their own addresses online is ill-advised under single-factor authentication. With stronger authentication, UWCU's Bangerter says he can offer real-time change-of-address types of services online. "There have been some things we've wanted to do online but weren't comfortable with. Now we can start doing some damage"⬠meaning marketing damage, by attracting new customers⬠"with new applications online because we feel it's safer."
It won't be free for the banks, though. It was easy to cost-justify two-factor authentication for large transactions because banks do relatively few of them. Now, tens of millions of transactions will require those same, more complicated controls, and no one is sure how to scale up to a mass-market level.
For example, say a bank decides on a smart card as a second factor of authentication. How much do the cards⬠and the devices to read them⬠cost? How much to train consumers to use them? What about replacing lost, stolen or damaged cards? The question for banks is can they find a second authentication method whose costs⬠financial and otherwise⬠can be justified against the risk reduction achieved?
Conventional Wisdom
The end of 2006 is a reasonable compliance deadline.
On Second Thought
Actually, December 2006 is cutting it a little close.
Bangerter thinks UWCU will meet the FFIEC deadline, but that's partly because he started planning for two-factor authentication three years ago. On the other hand, Gerald Rome, director of IT at First American Bank & Trust in Vacherie, La., started planning a few months ago. He believes meeting the deadline will be a challenge, especially for community banks.
FFIEC
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- WagerWorks Takes Fraudsters Out of the Game Using iovation
- Understanding Versatile Authentication and Its Benefits
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Implementing Best Practices for Web 2.0 Security
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
