Community

Join the Community

23,406
Expert opinions
42,304
Total members
290
New members (last 30 days)
178
New opinions (last 30 days)
29,114
Total comments
Join Sign in

Strong authentication absent in new FFIEC guidelines

  0 3 comments
Retired member
Unfollow

Yesterday the US banking regulator, the Federal Financial Institutions Examination Council (FFIEC), set out its expectations to improve internet banking authentication standards. While the FFIEC calls for, amongst other measures, layered security and more sophisticated one-time cookies where device identification is used, there is notably no mention of strong authentication in their new document.

 

Strong authentication is already widely implemented in the UK and Scandinavia through the use of tokens and various devices to support card-not-present transactions such as Mastercard's EMV-CAP card readers.

 

In the past internet banking in the US has generally not made use of strong authentication, which might explain the term's absence in the FFIEC's document, but its use has proven highly effective in other geographies.

 

Banks recognise that not all customers find using tokens convenient. However, mobile-based tokens or out-of-band verification could be a solution as a practical means of providing strong authentication without the need for users to carry tokens or card readers.

 

Overall the new guidelines are disappointing. While they do contain some good direction on the use of ‘challenge questions' for example, they focus too much on good practice for security measures used by banks today rather than on measures that might dramatically improve online banking security.

 

 

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

5722
 

Share

 
 
 
 
 

Channels

/payments

Comments: (6)

A Finextra member 

"Banks recognise that not all customers find using tokens convenient."

They don't seem to be doing much about it do they?... 

Online Banking Card Readers: no more room in the suitcase

In addition, how do you think FFIEC now view the security STRENGTH of tokens in light of the RSA breach ? Personally I can't see how 'guidelines' can really work in today's turbulent times for the banking sector - hence, I tend to concur.

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

More than five years after the release of the first set of FFIEC guidelines - which did mandate strong two-factor authentication - there are literally thousands of non-complying banks in the USA, as can be witnessed by the long list of banks that can be linked to Mint because they don't support 2FA. By keeping silent about strong authentication now, FFIEC seems to have decided not to bother coming up with guidelines that are observed more in the breach. 

Nick Collin

Nick Collin Director at Collin Consulting Ltd

Completely agree with you Steve - strong two-factor authentication based on something I own and something I know must surely be the standard for all remote financial transactions.  There's a lively discussion going on on this subject at http://lnkd.in/_Pxvpy if you're interested.

A Finextra member 

Thanks for pointing me to that link Nick.  Off the topic of this post, but I would also like to see my CAP/DPA reader and card securing my 3-D secure on-line transaction. It's completely technically possible as (if I remember correctly) CAP is already part of the 3-D secure stack. However, we are unlikely to see it implemented for fear of it discouraging shopping on sites that use it. Meanwhile, as you point out, on-line shoppers are voting with their feet and migrating to other on-line payments that are perceived to be more secure.

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

@Steve B: 

"...on-line shoppers are voting with their feet and migrating to other on-line payments that are perceived to be more secure".

In the USA, which is where FFIEC is applicable, I'm a bit curious to know more about such alternatives, their market shares and the basis of the "fear of it discouraging shopping on sites that use it".

A Finextra member 

This is all off-topic from the original post. However...

If you follow Nick's link, he has some good stats on how PayPal is growing its share of on line shopping payments. So PayPal is the most prominent alternative.

The argument put forward about putting anything extra between selecting goods and making the payment is that it may discourage shoppers from completing their purchase and they may visit another site instead that does not have extra steps to get their goods. Adding CAP readers to authenticate a payment falls into this category.  I am not supporting or refuting this argument here, merely replaying it for you.

More expert opinions

Steve Wilcockson

Steve Wilcockson Technical Product Marketing at Quantexa

Context Engineering for Financial Services

Prakash Bhudia

Prakash Bhudia HOD – Product & Growth at Deriv

Fed braces for impact as stagflation fears grow

David Weinstein

David Weinstein Co-founder and CEO at KayOS

From Bottlenecks to Leverage: Re-architecting Scaleup Operations with AI Agents

2

Cliff Bunting

Cliff Bunting Director at PurplePatch Broking Ltd

The Bureau billing errors costing firms millions

See all opinions

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

23,406
Expert opinions
42,304
Total members
290
New members (last 30 days)
178
New opinions (last 30 days)
29,114
Total comments
Join Sign in

Trending

Scott Dawson

Scott Dawson CEO at DECTA

Innovation Doesn’t Necessarily Mean Progress

Frank Moreno

Frank Moreno CMO at Entersekt

Trusted devices and silent signals could help FIs improve fraud protection

Pete McIntyre

Pete McIntyre Financial Services Director at Planixs

From Regulation to Resilience: Why the ECB’s Intraday Liquidity Guidelines Signal a Strategic Shift

Alex Kreger

Alex Kreger Founder and CEO at UXDA Financial UX Design

Banking on Intelligence: The Global Sprint to AI Maturity in Finance

Now Hiring

All companies

Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.

Please read our Privacy Policy.

Accept