Authentication in an Internet Banking Environment

 

Excerpts from FFIEC Guidelines

 

….The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.  Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services.  The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services.  Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation.  Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks…….

 

….Financial institutions engaging in any form of Internet banking should have effective and reliable methods to authenticate customers.  An effective authentication system is necessary for compliance with requirements to safeguard customer information,3 to prevent money laundering and terrorist financing,4 to reduce fraud, to inhibit identity theft, and to promote the legal enforceability of their electronic agreements and transactions.  The risks of doing business with unauthorized or incorrectly identified persons in an Internet banking environment can result in financial loss and reputation damage through fraud, disclosure of customer information, corruption of data, or unenforceable agreements.

 

There are a variety of technologies and methodologies financial institutions can use to authenticate customers.  These methods include the use of customer passwords, personal identification numbers (PINs), digital certificates using a public key infrastructure (PKI), physical devices such as smart cards, one-time passwords (OTPs), USB plug-ins or other types of “tokens”, transaction profile scripts, biometric identification, and others.  The level of risk protection afforded by each of these techniques varies. The selection and use of authentication technologies and methods should depend upon the results of the financial institution’s risk assessment process.

 

Existing authentication methodologies involve three basic “factors”:

 

            • Something the user knows (e.g., password, PIN);

 

            • Something the user has (e.g., ATM card, smart card); and

 

            • Something the user is (e.g., biometric characteristic, such as a fingerprint).

 

 

Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods.  Accordingly, properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents. For example, the use of a logon ID/password is single-factor authentication (i.e., something the user knows); whereas, an ATM transaction requires multifactor authentication: something the user possesses (i.e., the card) combined with something the user knows (i.e., PIN).…

 

The success of a particular authentication method depends on more than the technology. It also depends on appropriate policies, procedures, and controls. An effective authentication method should have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans.

 

 

⁽¹⁾Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision.

⁽²⁾ Customer information means any record containing nonpublic personal information as defined in the Interagency Guidelines Establishing Information Security Standards at section I.C.2. 12 CFR Part 30, app. B (OCC); 12 CFR Part 208, app. D-2 and Part 225, app. F (FRB); 12 CFR Part 364, app. B (FDIC); 12 CFR Part 570, app. B (OTS); and 12 CFR Part 748, app. A (NCUA).

⁽³⁾ The Interagency Guidelines Establishing Information Security Standards that implement section 501(b) of the Gramm–Leach–Bliley Act, 15 USC 6801, require banks and savings associations to safeguard the information of persons who obtain or have obtained a financial product or service to be used primarily for personal, family or household purposes, with whom the institution has a continuing relationship. Credit unions are subject to a similar rule.

⁽⁴⁾ The regulations implementing section 326 of the USA PATRIOT Act, 31 USC § 5318(l), require banks, savings associations and credit unions to verify the identity of customers opening new accounts. See 31 CFR 103.121; 12 CFR 21.21 (OCC); 12 CFR 563.177 (OTS); 12 CFR 326.8 (FDIC); 12 CFR 208.63 (state member banks), 12 CFR 211.5(m) (Edge or agreement corporation or any branch or subsidiary thereof), 12 CFR 211.24(j) (uninsured branch, an agency, or a representative office of a foreign financial institution operating in the United States (FRB); and 12 CFR Part 748.2 (NCUA).

 

*****

 

Expanded Examples

 

Existing authentication methodologies involve three basic “factor” options:

 

            • Something the user knows:

                          [e.g. User ID, Password, or PIN]

 

            • Something the user has:

                          [e.g. Secure client application program, ATM card,

                          smart card, two secure Networks, PC footprint]

 

            • Something the user is:

                          [e.g., user biometric characteristic, such as a fingerprint]