Home » Identity & Access » Access Control

FFIEC: Second Thoughts on Second Factors

Seven ways in which the new FFIEC strong-authentication standard isn't quite what it appears to be

By Scott Berinato

Page 6

On Second Thought

There's no consensus on the best authentication approach. So good luck with that.

There's no sweeter lead for a salesperson than a government regulation that requires someone to use something that you happen to sell. So CSOs and CISOs should prepare for an onslaught of vendors touting their respective authentication methods as superior.

The FFIEC, while outlining several possible second factors of authentication, has deliberately steered clear of endorsing a particular method. This creates an unnerving situation for security executives. They've been thrown into a high-stakes gameâ¬to choose technology that adds security without spooking customers. Anything too intrusive or complicated will annoy users. Anything too expensive and hard to maintain will annoy the CEO. So It's a delicate balance.

Some vendors (Corillian is one) are betting on "passive" methods to satisfy all constituents. Passive authentication captures information about your PC and network connection (your location and IP address) already flowing across the wire. This may appeal to banks because the process remains mostly invisible to customers. But Jon Martin Karl, founder of Iovation, says customers may want more visibility. "We think consumers want banks to show them that they're taking care of them, and they want some level of control over that security."

Still others believe that customers will embrace even more complex second factors, as Europeans have embraced smart cards and tokens. RSA, for example, believes that its decades-old token will gain new life from online banking (it commissioned a survey to prove it). Axalto believes we'll all happily carry smart cards if it means more security.

CSOs and CISOs will be inundated with these and other messages.

Conventional Wisdom

Stronger authentication controls will benefit user privacy.

On Second Thought

Some second-factor approaches could undermine privacy.

To whatever extent two-factor authentication reduces identity theft, it protects consumers' privacy better than password-based banking has.

However, some types of authenticationâ¬passive, for instanceâ¬actually capture information about banking customers in order to authenticate them. Passive methods collect data such as geolocation, IP address, machine ID, time of day, user agent string, browser and operating system version, among other bits.

This data is unique to each consumerâ¬it has to be, since that's how the authenticating gets doneâ¬and, more important, it's stored. Each log-in, in fact, becomes part of a behavior map constructed from previous log-ins. If the "behavior" of the current log-in is aberrant, then the customer may be challenged and the access denied.

From storing log-in behavior for authentication purposes, it's a short hop to analyzing it for direct marketing purposes. Bangerter says UWCU has no plans for sharing the data with marketing, but the company's privacy policy doesn't forbid it.