The Federal Financial Institutions Examination Council (FFIEC) is urging online banks to upgrade their security standards by the end of the year. The FFIEC’s reports state that “single-factor authentication” for online transactions is not enough. The FFIEC is encouraging online institutions to adopt two or more of the these authentication methods for high risk transactions:

• Something the user knows (e.g., password, PIN);
• Something the user has (e.g., ATM card, smart card); and
• Something the user is (e.g., biometric characteristic, such as a fingerprint).

Below are the agency’s key points:

The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.
Consistent with the FFIEC Information Technology Examination Handbook, Information Security Booklet, December 2002, financial institutions should periodically:

• Ensure that their information security program:

– Identifies and assesses the risks associated with Internet-based products and services,
– Identifies risk mitigation actions, including appropriate authentication strength, and
– Measures and evaluates customer awareness efforts;

• Adjust, as appropriate, their information security program in light of any relevant changes in technology, the sensitivity of its customer information, and internal or external threats to information; and
• Implement appropriate risk mitigation strategies.

However, adding multiple authentication techniques is inconvenient for customers — especially customers who like to access their financial accounts while traveling. Adding additional hardware to facilitate transactions is unappealing to financial institutions wanting to avoid customer service nightmares. Since compliance by December 31 will not be enforced, many institutions are opting to adopt “single-factor plus” or “1b” solutions. These solutions attempt to enhance security by adding multiple questions to the login process, or adding challenge responses when a customer uses a different computer or IP address to access an account.

At the end of the day, customers should be anticipating that their financial institutions will be adding more security enhancements to the login process in the coming weeks. Get a pen and paper handy because there will likely be additional challenge responses and security questions to remember in the future beyond just a user name and password.

Click here to read the FFIEC’s full report.