Understanding two-factor authentication as mandated by the FFIEC

While the FFIEC agrees with the traditional definition of two-factor authentication, not all of its recommendations for complying with its mandate to implement two-factor authentication qualify as such -- creating confusion for the financial institutions and the value-added resellers (VARs) helping them. This tip, reposted courtesy of

    Requires Free Membership to View

SearchSecurity.com, explains what qualifies as two-factor authentication and what the FFIEC is expecting from Web-based financial institutions.

Two-Factor Authentication Crash Course
Visit our Two-Factor Authentication Crash Course designed specifically for VARs and systems integrators to learn more about the FFIEC's mandate and the limitations of two-factor authentication.

The Federal Financial Institutions Examination Council's (FFIEC) guidelines requiring two-factor authentication for Web-based banking and financial transactions and their October follow-up recommendation for increased online security in 2006, has caused a lot of concern in the financial world. The panic and confusion stems, not from the definition of two-factor authentication, but its implementation. Let's start by explaining the standard definition of two-factor authentication and compare it with the FFIEC's view.

To information security professionals, authentication can consist of any of three simple factors:

  1. Something you know. This is a user ID and password or challenge-response questions, such as asking your mother's maiden name, favorite color or some other user-created question.
  2. Something you have. This is something you physically carry that contains your authentication credentials, such as a smart card, token or device.
  3. Something you are. These methods are a little more personal and include biometric devices that check a particular physical characteristic, such as a fingerprint, face or even the shape of their iris, before granting access.

Typically, two-factor authentication is any of the above two combined. Some examples would be a user ID and password used with a smart card reader, a one-time password token used with a fingerprint scanner, or an ATM card with a PIN. While the FFIEC agrees with the standard definitions of two-factor authentication and accurately outlines them in its document, some of its recommendations for implementation don't fit the mold of widely-accepted methods of two-factor authentication.

The FFIEC's directive describes out-of-band authentication, mutual authentication and Internet Protocol Address location as acceptable two-factor authentication systems. This confuses the issue, since these aren't authentication systems, let alone two-factor ones, by any definition described above. These systems don't verify users. They check for fraudulent transactions, verify the identity of the bank to the online customer, or confirm the user is logging on from their own computer – in other words, they verify the computer, rather than the user.

This means a host of products that don't authenticate users could meet the FFIEC's two-factor criteria. And, although the FFIEC doesn't endorse any particular company's product or technology, fraud detection products and digital watermarks could meet the standard under their definition.

So, how is a financial institution supposed to comply amidst this confusion? Is the FFIEC directive about fraud or authentication? It seems to mix both in the name of authentication.

Remember, above all, the directive recommends that the decision to use two-factor authentication be risk-based. So, do a thorough risk assessment and analysis of your banking Web site first. Ask yourself questions about the size and type of transactions. Are they high in value? Can customers transfer funds from their account to another bank or financial institution? Could a malicious user potentially transfer funds or drain a legitimate customer's account?

Also, before fingerprinting your customers or measuring their irises, determine exactly what your vulnerabilities and risks are, document them and then, if required, choose your two-factor implementation accordingly. It may not be what you had originally expected, and it may still satisfy the FFIEC.

About the author
Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He specializes in Web and application security and is the author of
The Little Black Book of Computer Security available from Amazon.

This tip originally appeared on SearchSecurity.com.

This was first published in November 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.