Understanding two-factor authentication as mandated by the FFIEC

While the FFIEC agrees with the traditional definition of two-factor authentication, not all of its recommendations for complying with its mandate to implement two-factor authentication qualify as such -- creating confusion for the financial institutions and the value-added resellers (VARs) helping them. This tip, reposted courtesy of SearchSecurity.com, explains what qualifies as two-factor authentication and what the FFIEC is expecting from Web-based financial institutions.

The Federal Financial Institutions Examination Council's (FFIEC) guidelines requiring two-factor authentication for Web-based banking and financial transactions and their October follow-up recommendation for increased online security in 2006, has caused a lot of concern in the financial world. The panic and confusion stems, not from the definition of two-factor authentication, but its implementation. Let's start by explaining the standard definition of two-factor authentication and compare it with the FFIEC's view.

To information security professionals, authentication can consist of any of three simple factors:

1. Something you know. This is a user ID and password or challenge-response questions, such as asking your mother's maiden name, favorite color or some other user-created question.
2. Something you have. This is something you physically carry that contains your authentication credentials, such as a smart card, token or device.
3. Something you are. These methods are a little more personal and include biometric devices that check a particular physical characteristic, such as a fingerprint, face or even the shape of their iris, before granting access.

Typically, two-factor authentication is any of the above two combined. Some examples would be a user ID and password used with a smart card reader, a one-time password token used with a fingerprint scanner, or an ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Regulatory Compliance Red Flags Rules compliance: Are your customers informed? PCI compliance guide: A resource for solution providers PCI DSS pre-assessment services: Prelude to a QSA The impact of PCI compliance on the channel Compliance drives opportunities for security integrators How to turn the HIPAA compliance changes into opportunities Data protection services offer revenue for security solution providers Agiliance and McAfee partner for better governance, risk and compliance services SonicWall announces partnership with Western NRG Building a framework-based compliance program Identity Management and Access Control Assisting customers with content-aware IAM decisions Identity management technologies and products to offer customers Access control compliance and corporate governance considerations Partner Program Directory: Authentication vendors The importance of PCI compliance Tech Watch: Biometric devices What current authentication methods are in use on the network? How many users utilize the network resources currently? Do off-site workers require remote access? How large is the customer's employee pool? Identity management and access controls products and services Identity management technologies and products to offer customers Despite downturn, channel committed to identity and access management Access control compliance and corporate governance considerations Access control management The importance of access control Partner Program Directory: Authentication vendors Identity management: Compliance and trends Tech Watch: Biometric devices Identity management best practices and precautions Introduction to identity management solutions

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ATM card with a PIN. While the FFIEC agrees with the standard definitions of two-factor authentication and accurately outlines them in its document, some of its recommendations for implementation don't fit the mold of widely-accepted methods of two-factor authentication.

The FFIEC's directive describes out-of-band authentication, mutual authentication and Internet Protocol Address location as acceptable two-factor authentication systems. This confuses the issue, since these aren't authentication systems, let alone two-factor ones, by any definition described above. These systems don't verify users. They check for fraudulent transactions, verify the identity of the bank to the online customer, or confirm the user is logging on from their own computer – in other words, they verify the computer, rather than the user.

This means a host of products that don't authenticate users could meet the FFIEC's two-factor criteria. And, although the FFIEC doesn't endorse any particular company's product or technology, fraud detection products and digital watermarks could meet the standard under their definition.

So, how is a financial institution supposed to comply amidst this confusion? Is the FFIEC directive about fraud or authentication? It seems to mix both in the name of authentication.

Remember, above all, the directive recommends that the decision to use two-factor authentication be risk-based. So, do a thorough risk assessment and analysis of your banking Web site first. Ask yourself questions about the size and type of transactions. Are they high in value? Can customers transfer funds from their account to another bank or financial institution? Could a malicious user potentially transfer funds or drain a legitimate customer's account?

Also, before fingerprinting your customers or measuring their irises, determine exactly what your vulnerabilities and risks are, document them and then, if required, choose your two-factor implementation accordingly. It may not be what you had originally expected, and it may still satisfy the FFIEC.

About the author
Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He specializes in Web and application security and is the author of The Little Black Book of Computer Security available from Amazon.

This tip originally appeared on SearchSecurity.com.