First, it is still "guidance." I would be the last to tell you not to give it your full attention. My regulator, for instance, has made it very clear that we are expected to be "in substantial conformance by December 31, 2006." But the FFIEC did not mandate second-factor authentication. They did mandate that you assess the risk of transactions and determine what is an appropriate level of authentication based on that risk. So if someone tells you that you must implement second-factor authentication, that is not strictly true.
"The implementation of appropriate authentication methodologies should start with an assessment of the risk posed by the institution's internet banking systems."
So, as a first step, banks are required to conduct a risk assessment. Each bank has to evaluate its own internet banking processes and determine what the level of risk is in each area. There are three ways to look at authentication on your website:
Gateway authentication -- everyone entering the website is required to use the same authentication mechanism.
Zone-based authentication -- some banks will segment their online application to several risk zones (e.g., account balance in one risk zone, bill payment in a second risk zone, and ACH/wire in a third risk zone), and treat all transactions in each specific zone in the same manner. This approach seems to be compliant with the FFIEC guidance; however, each transaction is different and zone-based authentication may still require some users to use stronger authentication when it is not necessary.
Transactional risk-based authentication -- assessing the risk of each individual online transaction and activity (such as login, wires and bill payment) and adjusting the authentication accordingly. Rather than pre-define zones as high or low risk, the transactional level data can provide a more granular assessment of risk.
There are vendors with solutions in each of these spaces. You need to decide which approach works best for you.
Dave Cullinane is the CISO of Washington Mutual
30 seconds on...Customers first:
Dave Cullinane says authentication solutions that drive customers away are not good ones. Research indicates that customers expect you to provide the protection -- not ask them to take extra steps or pay extra for protection.
Talk to customers:
What will be required to enroll customers in the system? How much may they be inconvenienced by the controls you put in place? Look at solutions in terms of customer impact and ease-of-use, says Cullinane.
Not all agree
Bruce Schneier says cybercriminals will likely adjust their scams to meet the new challenge of second-factor authentication. Passwords are weak as well, he says, because they are too easy to lose control of as people pass them on too readily.
Regulatory requirements:
GLBA requires financial institutions to assess threats and adjust security programs accordingly. Cullinane suggests making sure your solution will adapt to a changing threat environment driven by experienced fraudsters.