Home » Identity & Access » Access Control

FFIEC: Second Thoughts on Second Factors

Seven ways in which the new FFIEC strong-authentication standard isn't quite what it appears to be

Since the FFIEC endorses no single approach to two-factor authentication, a bank that hadn't planned for it must evaluate several kinds of technology, choose the one it thinks is best (or the one it thinks consumers will accept), test it, deploy it, market it, train consumers on it and then maintain it. All in a year.

"This [effort] is really burdensome to community banks," says Rome. "To compete we have to give away Internet banking for free, and online bill-paying for free. You can't add this and keep doing everything for free."

Add to this the fact that vendors of two-factor authentication technology are relatively small with a relatively huge market to serve. Two of the larger vendors are Axalto, a smart-card company with about a billion dollars in revenueâ¬most of it from Europe, where smart cards are more accepted than in this country (Axalto's revenue in the Americas is growing rapidly and expected to surpass $200 million this year); and RSA, a well-established $300 million company that reported shipping 500,000 consumer-related tokens in Q4 of last year. Two others are Corillian and PassMark. PassMark is privately held, funded by VCs and private investors. Corillian is a $50 million company with about 270 employees. Another vendor, FundsXpress, is growing fast but only achieved positive cash flow in 2004.

Can these kinds of companies support the thousands of banks that must comply with the FFIEC guidance by December? Even PassMark's director of sales isn't sure. "With regard to the deadline, it will be a challenge, but not insurmountable," says Steve Klebe, director of sales and business development. Klebe puts the odds at "about 50/50." On the other hand, Jim Maloney, security chief at Corillian, thinks the deadline can be met. He says that using Corillian's methods of authentication, which don't involve tokens or consumer PC upgrades, should take a small bank two to three months to upgrade infrastructure and a large bank four to six months.

But how many banks can Corillian, or any other vendor, work with at once? Will the small banks get squeezed, as Rome fears, because vendors cater to their larger customers? What about process changes needed to support technology changes? Help desk training, token distribution systems and whatever else will be required?

Even the FFIEC anticipates granting extensions to the deadline, especially to financial institutions on the Gulf Coast hit by Hurricanes Katrina and Rita.