In Search of ‘Multi-factor Authentication’
BY STEVE GARMHAUSEN
Banks tap consultants and solutions providers to find the ‘the perfect balance between enhanced security, affordability and customer adoption’ by year-end
When federal regulators directed banks to institute more robust authentication measures by the end of 2006, they provided little guidance on what was required to be considered in compliance. With consultants and solutions providers, banks are researching an array of options for customer segments and transactions. Some early movers have implemented robust schemes; some are in “wait-and-see” mode.
When the Federal Financial Institutions Examination Council (FFIEC) issued guidance in October 2005 calling on banks to improve their on-line security by the end of this year, the directive was distinguished by its lack of specificity. More than halfway through the year, many bankers are still struggling to define what “multi-factor authentication” will mean for their institutions.
“Most banks get the concept of compliance,” says Tripp Johnson, senior director at Cornerstone Advisors, in Scottsdale, Ariz. “But there’s usually a pretty detailed checklist that goes to audit, risk management and Information Technology (IT). In this case, there’s the question of what’s going to make a financial institution compliant.”
The FFIEC’s guidance simply said that if an electronic banking system permits high-risk transactions (i.e., exposes customer funds or identities to potential fraud), single factor authentication alone is inadequate. “Factor” in this context refers to a method by which a customer’s identity is authenticated. Most financial institutions have used just one factor in their online banking systems, typically a password or passcode. The FFIEC said institutions should implement multi-factor authentication, layered security or other controls “reasonably calculated” to mitigate the risks.
The council stopped short, however, of detailing the factors or controls that would be deemed in compliance. “The regulators are smart — they throw it in banks’ laps,” says Ariana-Michele Moore, a senior analyst at Celent LLC, a Boston-based research firm. “They’re saying ‘We’re not going to be liable.’ That’s why a lot of fuss is being made about these recommendations.”
Michael Jackson, associate director in the Federal Deposit Insurance Corp.’s division of super-vision and consumer protection, says the guidance reflects bank wishes as expressed during the comment period. According to Jackson, banks asked that the guidelines be drawn broadly. “The industry asked for maximum flexibility, for us not to be prescriptive,” he says.
The bottom line is that banks are left to their own devices to identify an appropriate path. And in doing so, they must balance multiple and often competing concerns. “We’ve been analyzing myriad offerings from solutions providers,” says Alecia Kontzen, senior vice president and e-commerce risk manager at Charlotte, N.C.-based Wachovia Corp. “We’re looking for something that will strike the perfect balance between enhanced security, affordability and customer adoption.”
To date, Wachovia has “test-driven” about 20 different solutions, according to Kontzen.
Bank experience thus far is demonstrating that there’s no one-size-fits-all template. Instead, experts say, solutions will need to be based on each institution’s size, technological capabilities, financial resources and customer base.
The Compliance Issue
The main challenge facing banks is the assessment of their risk levels and the provision of adequate security against those risks in coordination with and across all business units that offer remote banking.
Phishing attacks, malware and spyware make up a “grab bag” of threats, according to Steve Mott, principal of payments consultancy BetterBuyDesign, in Stamford, Conn. Solutions providers often specialize in one threat, emphasizing it more than others, Mott says.
Some companies have merged in an effort to offer one-stop shopping. Last year, RSA Security Inc., of Bedford, Mass., acquired New York City-based Cyota Inc. In April, RSA struck again, buying PassMark Security Inc., of Menlo Park, Calif.
In any case, given the vagueness of the FFIEC guidelines, banks are responsible for ascertaining their own risk levels and then providing adequate security to be in compliance. “At the end of the day, if we can identify that we’ve reduced risk, I think we’ll have hit the mark,” says Wachovia’s Kontzen. Some banks are proceeding by seeking feedback from regulators as they move toward the deadline.
For example, executives at St. Louis, Mo.-based Commerce Bancshares Inc. have been meeting regularly with Office of the Comptroller of the Currency officials. “The direction we’ve gotten is that we need to kind of bring them along every step of the way,” says Cindi Tetrault, manager of online banking at Commerce.
But according to consultant Johnson, comments from regulatory agencies have not been consistent, a concern for banks overseen by multiple agencies. In this somewhat murky environment, some banks are taking a wait-and-see approach, a fact that concerns Johnson. He worries that with about 20 solution providers catering to the nation’s 8,000 banks and credit unions, those getting started now may find themselves behind the curve.
But Mott expects that most banks should be able to meet the minimum level of compliance by the deadline, even though many have gotten a late start. This spring there was a suggestion that the December 31 deadline itself was flexible. A March 17 American Bankers Association (ABA) newsletter reported that regulators had been “interpreting the deadline by saying that the date is not a ‘hard line in the sand.’
“We have heard the term ‘substantially compliant’ used to describe what is expected,” said the item in the newsletter, which is produced by the office of the ABA’s chief economist. Not so, insists the FDIC’s Jackson. Field examiners may grant a grace period to banks only in cases where a major event outside their control, such as Hurricane Katrina, delayed their efforts to comply, he says. “Banks have had well over a year to start this process,” he says. “Expectations are that they should have done a risk assessment and implemented the technology by year-end ’06.”
In May, the FFIEC was known to be working on an internal document to clarify what’s expected. The document, which is not available, is intended to promote uniform enforcement among regulatory agencies, said Jackson. He said the agency is discussing whether to release the document.
Industry Response
In the debate over authentication, bankers do not have to seek all their guidance from regulators. They can also look at those few institutions that moved on multi-factor legislation before the FFIEC issued its guidance. None of those institutions is claiming that regulators have judged them to be in compliance ahead of the deadline. But the early movers have consulted along the way with regulators, says Mott.
Even before the FFIEC guidance, many banks deployed strong authentication techniques for customers who move large amounts of money around. Commerce, for instance, started using tokens five years ago for employees and commercial customers who do high-dollar transactions. “We have talked about doing it on a wider basis,” says Tetrault. “It really depends on the customer.”
Because the sense is that higher dollar transactions call for heightened security, many institutions are likely to use more than one kind of technology solution.
Greg Hughes, chief security executive at solution provider Corillian Corp., of Hillsboro, Ore., says most of its bank clients are responding to the guidance with what’s known as relative risk assessment. The approach examines all online applications, including corporate, consumer and retail banking and brokerage.
According to the risk in each area, the security solution may range from very strong authentication mechanisms, such as tokens or biometric devices, to “passive authentication and behavior analysis” that identifies behaviors that are not in character for a particular user and then asks questions to validate the site to the user. For less risky applications, the user name and password system already in place may suffice, says Hughes.
Fifth Third Bancorp, in Cincinnati, Ohio, may end up implementing a “base level” of strong authentication for all customers, says Debbie Wheeler, chief information security officer. Customers would be able to opt in to additional kinds of security tools. Options would carry a minimal cost or be free to customers above a certain asset threshold, she says.
Christopher Young, senior vice president and general manager with RSA Security, says many banks have expressed interest in a solution that will get them in compliance by year’s end, but can then be improved upon. “They’re interested in getting started with a solution that allows them to be as flexible as possible to implement other forms of authentication as needs change,” says Young.
Mr. Garmhausen is a freelance writer based in Brooklyn, N.Y.