Contact Join Member Login

FFIEC Guidance on Authentication for Online Banking: Get the Facts

What is the FFIEC and what does it have to do with authentication and online banking?

The Federal Financial Institutions Examination Council (FFIEC) was established in 1979 and is a formal interagency body empowered to prescribe uniform principles, standards and report forms, as well as make recommendations to promote uniformity in the supervision of financial institutions.

The FFIEC is comprised of the five federal regulators of the banking industry: Board of Governors of the Federal Reserve System (Federal Reserve), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).

In October 2005, the FFIEC published guidance entitled Authentication in an Internet Banking Environment, recommending that financial institutions and their application service providers deploy security measures to reliably authenticate their online banking customers. This guidance replaces the FFIEC's Authentication in an Electronic Banking Environment issued in 2001.

What does the FFIEC guidance on authentication and online banking stipulate?

Simply put, the FFIEC guidance states that financial institutions that engage in any form of online banking should have efficient and reliable methods to authenticate their customers. Single-factor authentication, such as a user name and password - if it is the only control mechanism - is inadequate for high-risk online banking transactions involving access to customer information or the movement of funds to other parties.

Regulators in the financial industry agree that passwords have become highly vulnerable to a variety of threats, including phishing, pharming, malware and other evolving attack techniques. Banks should instead use authentication methods that are both effective and appropriate to the risks associated with online banking, including multi-factor authentication as part of a layered approach to security. Institutions must comply with this guidance by December 31, 2006.

Who should be concerned about the FFIEC guidance on authentication?

Any institution that is governed by one of the five agencies that makes up the FFIEC is covered by these guidelines. Financial institutions that offer online banking services, as well as application service providers, should be aware of this guidance, assess their risk, develop reliable authentication measures and raise their customers' awareness of fraud. If an institution fails to comply by the December 31 deadline, it faces a potential fine or other penalty, depending on the status of its plans in place to address the guidance.

What should banks do to comply with this guidance?

Financial institutions that engage in online banking should:

  • Conduct risk assessments of online transactions to determine the appropriate degrees of fraud prevention methods;
  • Develop and implement the means to reliably authenticate online banking customers, in proportion to the risk assessment findings; and
  • Continue and enhance efforts to educate customers on potential threats associated with online banking and the appropriate preventative measures.

How can the risk level of a financial institution be determined?

To measure their risk level, banks should assess the security risks associated with their Internet-based financial services offerings. While the guidance does not describe risk-assessment methods, it does indicate some of the factors to use when measuring risk, including:

  • Type of customer;
  • Transactional capabilities;
  • Sensitivity of accessible customer information;
  • Ease of use of the communication method; and
  • Volume of transactions.

The guidance is focused on high-risk transactions, which is defined as online banking services that "involve access to customer information or the movement of funds to other parties." Although the guidance does not define what this specifically means, "customer information" might include names, addresses, phone numbers, social security numbers, bank account numbers and account details held for bill payment purposes (i.e. utilities). "The movement of funds to other parties" might include bill payment, wire transfers, transfers to accounts not held by the customer at the given institution, and transfers to other accounts held by the customer outside of the given institution.

Does the FFIEC recommend specific technologies?

No, the FFIEC guidance explicitly states that it does not endorse any particular type of technology. The guidance specifically addresses the need for risk-based assessment, customer awareness and the implementation of appropriate risk mitigation strategies, including security measures to reliably authenticate customers accessing a financial institution's Internet-based services. Multiple-factor authentication is one such tool.

What kind of authentication methods should be used to comply with the FFIEC guidance?

Prior to implementing authentication methodologies, banks should first assess the risk posed by the institution's online banking systems. The authentication techniques used by the financial institution should be proportionate to the risks associated with those products and services. The guidance proposes several non-exclusive authentication techniques:

  • Multiple-factor authentication;
  • Layered security; and
  • Other controls.

While the guidance does not endorse any particular technology, it does include background information on authentication technologies.

The National Institute of Standards and Technology (NIST) also provides an Electronic Authentication Guideline, which classifies authentication assurance levels. NIST recommends using "technology that at a minimum, meets the requirements for the required level of assurance." To achieve this, banks should first look at the fundamentals of authentication:  something you know, something you have and something you are. Typically, authentication strength increases with the number of factors used. However, even with multiple factors, the authentication may be attacked successfully if other parts of the process are not secure. NIST defines the aspects of the authentication process as:

  • Credentials, credential lifetime and credential protection;
  • Registration;
  • Authentication protocol;
  • and Authentication assertions.

The NIST guidelines are available at http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf

Are the FFIEC recommendations enforceable by law?

The guidance is not a formal regulation and does not create any legal obligation for banks. However, it is a strong recommendation that comes from five regulatory agencies of the financial sector and should not be taken lightly. Although it is not a formal regulation, the FFIEC has given banks a deadline of December 31, 2006 to comply with the guidance. If a financial institution does not comply by that date, the FFIEC could enforce the guidance with informal or formal actions. These enforcement measures are dependant on the specific situations.

If customers are required to input a second password, does that meet the FFIEC guidance?

The FFIEC guidance states that online banks can use "multi-layered authentication." The precise definition of this term is unclear and could be interpreted to mean that the FFIEC considers additional passwords to be multi-layered authentication.

In information security, there are many forms of authentication: some operate behind the scenes and others require the active participation of the user. In the latter case, typically there are three 'proofs' or 'factors' that the user can be asked for: something you know (user ID and password, or secret questions), something you have (smart card or one-time use token) or something you are (biometrics). Combining two of these factors creates a two-factor authentication, providing an additional layer of security: if one factor is broken, lost or compromised, there is a second 'locked door' for a malicious attacker to breach.

According to experts in authentication technology, a second password does not constitute a true two-factor authentication method. Static passwords are easily hacked, stolen, guessed or otherwise compromised, and simply putting two such passwords together does not raise the security bar significantly for customers. Ideally, usernames/passwords should represent just one part - or one factor - of a two-factor authentication process. When used in conjunction with another factor, as described above, security is increased measurably.

Ultimately, however, the FFIEC guidance underscores sound business sense - if a bank's Internet-based products and services increase its risk of financial loss or image damage due to authentication inadequacies, then it is incumbent on the organization to upgrade its authentication methods.

How much will it cost to comply with the FFIEC recommendations?

The upfront cost to a particular financial institution is dependent on the individual situation. Perhaps a more important question to ask is whether the organization can afford not to comply with the guidance.

What is CSIA's position on the FFIEC recommendations?

CSIA has long held that simple username/password authentication is not adequate protection on its own. Therefore, we support industry efforts that encourage stronger authentication methods.