Read This before You Take Multi-Factor Plunge: Regulators Say Multi-Factor Authentication Is an Option Not a Requirement

By Cocheo, Steve | ABA Banking Journal, May 2006 | Go to article overview

Read This before You Take Multi-Factor Plunge: Regulators Say Multi-Factor Authentication Is an Option Not a Requirement


Cocheo, Steve, ABA Banking Journal


Banks offering internet-based services have been wrestling with a thorny issue since last year's regulatory fiat on authentication methods. Few recent compliance challenges have been the subject of so much misinformation, rumor, and misunderstanding.

The interagency announcement, "Authentication in an Internet Banking Environment," issued in mid-October 2005 by the Federal Financial Institutions Examination Council, requires that banking companies review their internet-based offerings and determine which should be subjected to enhanced authentication measures on the behalf of both commercial and consumer customers. The exercise is not only supposed to be completed by yearend, but areas of weakness identified in the course of the review are expected to have been addressed through improved procedures.

In many cases, the expected shift in security format would be from "single-factor" authentication to "multi-factor" authentication. "Single-factor" authentication requires only asking that customers provide one form of identification to access services, which the agencies consider inadequate for high-risk transactions conducted under modern conditions. A typical single-factor scheme would use a log-on ID and a password only.

The agencies want banks to adopt "multi-factor" approaches for high-risk transactions, or other approaches that address the heightened possibility that client accounts could be infiltrated. Authentication can take three forms, generally: something the user knows (such as a password or number); something the user has (such as a "fob" or a token, devices that plug into their home computer that demonstrates authenticity and generates codes); and something the user is (such as a fingerprint or an eye scan).

The regulators insist that not only is customer account security at risk, but also much more. Preventing electronic money laundering and terrorism financing; decreasing online identity theft; and reducing fraud and ensuring enforceability of online business arrangements all hinge on security being maintained, the regulators state in their announcement.

The clock is ticking ... and some banks are starting from a point of confusion. During ABA's National Conference for Community Bankers earlier this year, panelists from ABA, the agencies, and a vendor addressed the new guidance.

Starting out right

In some quarters, the announcement has been regarded as a mandate for an industrywide switch to multi-factor authentication. This substantially overstates things, according to speaker Jeffrey M. Kopchik, senior policy analyst, FDIC.

"The guidance does not mandate multifactor authentication," said Kopchik. "It calls for adequate security, and multi-factor is one way of doing it."

There was a method to the agencies' missive, according to Kopchik. Mandating a specific security regimen in a formal guidance would have been futile, and was rejected, he said, because the pace of change in this area is so rapid that maintaining a "state of the art" regulatory document would require reissuances at six-month intervals. Today's iron-clad protection is tomorrow's busted technology.

More formally, Kopchik said this is the proviso bankers should be hewing to:

"Where single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other comparable controls reasonably calculated to mitigate the risks."

Kopchik told bankers this implies that:

* They should realize that, overall, they are expected to "step it up a notch" in online security. They are obligated, if they provide an online delivery channel to customers, to make it a secure one.

* They should understand that the regulators consider the timeline established to be "aggressive, but reasonable."

* Examiners will review compliance efforts on a case-by-case basis.

Bankers' Top Ten questions

Kopchik then presented answers to the ten questions the agencies have been receiving most frequently from the industry:

10 Is there an approved list of solutions? …

The rest of this article is only available to active members of Questia

Already a member? Log in now.

Notes for this article

Add a new note
If you are trying to select text to create highlights or citations, remember that you must now click or tap on the first word, and then click or tap on the last word.
One moment ...
Default project is now your active project.
Project items
Notes
Cite this article

Cited article

Style
Citations are available only to our active members.
Buy instant access to cite pages or passages in MLA 8, MLA 7, APA and Chicago citation styles.

(Einhorn, 1992, p. 25)

(Einhorn 25)

(Einhorn 25)

1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

Note: primary sources have slightly different requirements for citation. Please see these guidelines for more information.

Cited article

Read This before You Take Multi-Factor Plunge: Regulators Say Multi-Factor Authentication Is an Option Not a Requirement
Settings

Settings

Typeface
Text size Smaller Larger Reset View mode
Search within

Search within this article

Look up

Look up a word

  • Dictionary
  • Thesaurus
Please submit a word or phrase above.
Print this page

Print this page

Why can't I print more than one page at a time?

Help
Full screen
Items saved from this article
  • Highlights & Notes
  • Citations
Some of your highlights are legacy items.

Highlights saved before July 30, 2012 will not be displayed on their respective source pages.

You can easily re-create the highlights by opening the book page or article, selecting the text, and clicking “Highlight.”

matching results for page

    Questia reader help

    How to highlight and cite specific passages

    1. Click or tap the first word you want to select.
    2. Click or tap the last word you want to select, and you’ll see everything in between get selected.
    3. You’ll then get a menu of options like creating a highlight or a citation from that passage of text.

    OK, got it!

    Cited passage

    Style
    Citations are available only to our active members.
    Buy instant access to cite pages or passages in MLA 8, MLA 7, APA and Chicago citation styles.

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn, 1992, p. 25).

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn 25)

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn 25)

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences."1

    1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

    Cited passage

    Thanks for trying Questia!

    Please continue trying out our research tools, but please note, full functionality is available only to our active members.

    Your work will be lost once you leave this Web page.

    Buy instant access to save your work.

    Already a member? Log in now.

    Search by... Author
    Show... All Results Primary Sources Peer-reviewed

    Oops!

    An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.