Will implementing two-factor authentication satisfy FFIEC requirements?

Will implementing two-factor authentication satisfy FFIEC requirements?

Why are some banks requiring customers to have a second password when logging in to their accounts online? If one password is insecure, why would having multiple passwords be more secure?

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Most banks are requiring users to provide a second password because they now need to comply with guidance issued in October 2005 by the Federal Financial Institutions Examination Council (FFIEC), recommending that banks offering online banking services implement and use two-factor authentication by January 2007. The FFIEC issued the guidance based on a report from the FDIC in 2004, stating that user IDs and passwords alone (single-factor authentication) was inadequate for online banking. The FDIC report outlined how passwords were weak and could be easily cracked, whether by password-stealing Trojans dropped on desktops or malicious shoulder surfers ogling your password.

While simply requiring a second password closely resembles two-factor authentication, it technically isn't, but it does meet the FFIEC's standards. To clear up the confusion and clarify the intent of the guidelines, let's review what two-factor authentication is.

In information security, there are three factors for authentication: something you know (user ID and password), something you have (a smart card or one-time password token) or something you are (a physical characteristic, such as a fingerprint, voice or face). Combining two of these factors creates two-factor authentication. The intent is to provide an extra layer of security, so if one factor is broken there's a second locked door that a malicious attacker would also have to breach to gain access.

As you may have gathered, second passwords, even when disguised as a secret question or a graphic, aren't true two-factor authentication methods. But here's the rub. The FFIEC guidance also states that online banks can use multi-layered authentication, which is a little different than two-factor authentication. This means the FFIEC considers anti-fraud systems and additional passwords as multi-layered authentication.

MORE INFORMATION:

  • Learn more about the FFIEC's guidance.
  • Visit our All-in-One Guide and learn how to maximize your complianceefforts.

    • This was first published in August 2006

    Back to top