Authentication For Preventing Account Takeover
The federal government has
recognized that depending solely on passwords as a way to prevent
unauthorized access to online bank accounts is inadequate. The Federal Deposit
Insurance Corporation, in a December, 2004 report entitled Putting
an End to Account Hijacking Identity Theft, recommended that financial
institutions adopt a two-factor authentication procedure for access to
online accounts, to replace reliance on passwords only. The report was updated
in June, 2005 with a Supplement
that revised the original report on the basis of comments received. As a
result, the original recommendations were modified to suggest that "the
widespread use of user ID and password for remote authentication should be
supplemented with a reliable form of multifactor authentication or other
layered security so that the security and confidentiality of customer accounts
and sensitive customer information are adequately protected."
The Federal Financial Institutions Examination Council (FFIEC), a federal interagency organization that includes the FDIC, followed up on this by issuing a "guidance" in October, 2005 that calls for banks to implement stronger forms of authentication for access to online accounts. The date given for compliance is year-end 2006. The FFIEC guidance, entitled Authentication in an Internet Banking Environment, states that "the agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties."
[NOTE: On August 15, 2006, a Frequently Asked Questions document was issued by the government to aid in the implementation of the guidance. In June, 2011, a Supplement was issued to the original guidance that provided updated recommendations in response to increased attacks on online banking systems since the original guidance was issued.]
The guidance directs that banks perform a risk assessment and, "where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks."
Taken together, these two statements imply that one outcome of the risk assessment will be an identification of the points in a bank's Internet banking services where these high-risk transactions takes place, and that "multifactor authentication, layered security, or other controls" must be put into place to prevent fraudulent transactions.
The FFIEC guidance defines customer information as "nonpublic personal information." But are all transactions that involve access to customer information necessarily "high risk"? And for those transactions that do fall under the guidance's mandate, what should replace today's single-factor authentication schemes that depend on passwords alone?
The Federal Financial Institutions Examination Council (FFIEC), a federal interagency organization that includes the FDIC, followed up on this by issuing a "guidance" in October, 2005 that calls for banks to implement stronger forms of authentication for access to online accounts. The date given for compliance is year-end 2006. The FFIEC guidance, entitled Authentication in an Internet Banking Environment, states that "the agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties."
[NOTE: On August 15, 2006, a Frequently Asked Questions document was issued by the government to aid in the implementation of the guidance. In June, 2011, a Supplement was issued to the original guidance that provided updated recommendations in response to increased attacks on online banking systems since the original guidance was issued.]
The guidance directs that banks perform a risk assessment and, "where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks."
Taken together, these two statements imply that one outcome of the risk assessment will be an identification of the points in a bank's Internet banking services where these high-risk transactions takes place, and that "multifactor authentication, layered security, or other controls" must be put into place to prevent fraudulent transactions.
The FFIEC guidance defines customer information as "nonpublic personal information." But are all transactions that involve access to customer information necessarily "high risk"? And for those transactions that do fall under the guidance's mandate, what should replace today's single-factor authentication schemes that depend on passwords alone?
Some Implications of the FFIEC Guidance
Although the government doesn't recommend a specific solution, we believe that the most secure form of authentication to prevent account takeovers and break-ins makes use of public key infrastructures that depend on a user's ability to maintain control over a private key.
Other forms of authentication are also possible, including various implemenations of one-time passwords. Choosing the "best" authentication method often involves a trade-off between cost and user convenience.
Other forms of authentication are also possible, including various implemenations of one-time passwords. Choosing the "best" authentication method often involves a trade-off between cost and user convenience.