By Cory Levine, Wall Street & Technology
The financial services industry's effort toward secure authentication for online financial transactions was bumped up a spot or two on the old to-do list last week. The Federal Financial Institutions Examination Council (FFIEC) released a list of frequently asked questions, clarifying some of the lingering issues surrounding last year's guidance on risk-based authentication. Meanwhile, the Financial Services Technology Consortium (FSTC) announced its intentions to improve how financial institutions authenticate themselves to users, to curb phishing, pharming, spoofing and malware attacks.The FFIEC's release seems to further muddle precisely what the regulators expect, stating that the use of multifactor authentication is not required. However, the document does specify that, based on the level of risk involved, there are multiple circumstances under which single-factor sign-on is insufficient and points to "layered security" and "other compensating controls" as alternatives. The document goes on to provide very vague definitions of this very vague terminology, and those responsible for online security are left shrugging.
The FAQs do make some notable clarifications. For instance, while a financial institution can rely on a risk assessment performed by a service provider, risk management in online transactions is ultimately the responsibility of the FI. And rather than simply ramping up security across all types of transactions, institutions must use risk-based solutions. Checking an account balance and transferring funds should likely have two different means of authentication according to the guidance, with the former being less robust than the latter. The FFIEC also noted that a customer may not opt out of additional authentication controls, and that even though the customer may want to take on the risk, doing so would undermine regulators' intentions and the FI should impose authentication tactics.
Also making news last week was the FSTC, which announced a "major project" to develop agreed-upon technologies and methodologies for mutual authentication. This new effort is, in essence, a spinoff project of the FSTC's recently completed Better Mutual Authentication project, which sought to define the industry requirements in online authentication. Said Dan Schutzer. executive director of the FSTC, "With this project, we intend to leverage and influence existing technology and social initiatives coming out of the computer and communications vendor community to address our needs in financial institutions' Web site and e-mail authentication. This will include making many of these solutions from the vendor community more workable through cooperation and partnership with institutions throughout North America and beyond."