Multi-Factor or Multi-Fiction?

By: (CISSP, CISA, CISM, MCSA, MCITP)

Publication: The Colorado Banker , September/October 2011

One of the "hot topics" with security in financial institutions lately has been multifactor authentication. While original guidance on the subject was published in 2005 as Authentication in an Internet Banking Environment, the landscape of online banking and software has greatly changed. To address the new risk and threat landscape, the Federal Financial Institutions Examination Council (FFIEC), released a supplement in June 2011. Examiners will begin formally assessing financial institutions under the supplemental guidance beginning in January 2012.

What is Multi-Factor Authentication?

Existing authentication methodologies involve three basic "factors":

  • Something the user knows: password, PIN, answer to challenge question
  • Something the user has: ATM card, smart card, random number generated by a hardware or software token
  • Something the user is (biometrics): Fingerprint, retinal scan, facial recognition

According to the FFIEC, "Authentication methods that depend on more than one factor are more difficult to compromise than singlefactor methods." Most multi-factor authentication processes use a password combined with the second or third factor.

Common Misconceptions

Many financial institutions have mistakenly believed they have implemented multi-factor authentication by utilizing challenge questions in addition to the standard username/password format. However, challenge questions are something else the user "knows". In this scenario, the institution is still using single-factor authentication.

Alternatively, some authentication systems rely on users selecting an image to be shown upon each login to prove the authenticity of the website. However, this is two-way authentication, not multi-factor authentication, and is designed to provide the user with assurance they are logging into a legitimate site. The image is not meant to verfiy the user has the proper credentials.

Do I Need to Train End-Users?

In addition to controls inside the institution, examiners are going to expect customer education awareness and education. Specifically, a financial institution's customer awareness and educational efforts should address both retail and commercial account holders and, at a minimum, include the following elements:

  • An explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access;
  • An explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer's provision of electronic banking credentials;
  • A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically;
  • A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found; and,
  • A listing of institutional contacts for customers' discretionary use in the event they notice suspicious account activity or experience customer information security-related events.

It is strongly recommended institutions review the new supplement at http://www.ffiec.gov/pdf/Auth-ITS-Final 6-22-11 (FFIEC Formated).pdf to ensure compliance with the new guidance.