Strong Authentication - The Bank's Perspective
Authentication is back on the table.
Word out of Washington, D.C. is that a subgroup of the Federal Financial Institutions Examinations Council has begun meetings to discuss whether (or how) to amend the FFIEC's 2005 strong authentication guidance.
No one from the agencies wants to say a lot about the substance of conversations to date, but sources do say we're not likely to see any solid proposals til fall. At the earliest.
We published this story last week, along with insights from industry thought-leaders on what new authentication guidance ought to include. It was a popular piece, generating lots of tweets (you are on Twitter now, right?) and comments. Among those responses were the insights I'm going to share below.
Preface: These comments were written by an information security officer at a noted financial institution. For good reasons, he asked not to be identified, and I'm going to respect his wishes. Still, the points he raises are good ones, so I want to share them with you, and then I'd welcome your response. Without further ado ...
What Strong Authentication Really Means
Part of the problem is there is a lot of confusion over factored authentication. From the truest definition there are three authentication factors: Something you know; something you have; and something you are. Two-factor authentication can include both something you know, such as a password, and something you have, such as a token. The third factor, something you are, is biometric and may or may not include the other factors.The problem is people confuse the term 'multifactor' with two-, or three-factor, when in fact multifactor could mean a single factor used twice, such as two passwords to authenticate. This does not offer the same level of security as true two-factor authentication since compromising one password means I can compromise the other.
Once more, we have a term called 'strong authentication.' Every security professional will have a different definition of what that is. In fact, it's the reason why it's in the FFIEC guidelines - to give wiggle room for interpretation. You may recall during the original request for comments for the FFIEC guidelines, a large bank executive testified his customers would not accept two-factor devices. Therefore, this is what contributed to the loose interpretation in the final language.
Strong authentication can be multifactor, or it can be two- or three-factor. But the issue I don't see people discussing is non-repudiation. Banks need this - particularly with high risk business accounts. Anyone can claim that their password and their security questions were compromised, but if I were required to have a password (something I know), a device (something I have) and better yet something I am (biometric) ... I would have a hard time arguing a transaction was compromised. My point is: You should try to achieve both two-factor or three-factor authentications, which by their very nature provide non-repudiation.
Once more, the reason this issue has surfaced mainly from business accounts is that personal accounts fall under Regulation E. It requires banks to make the customer whole. Customer whole = no complaints. On the other hand, Regulation E does not cover business accounts. Banks specify by contract with their commercial online customers that they are responsible for their transactions and account balances. Fraudsters' target business accounts mainly because of the lucrative ACH and wire capabilities that personal accounts don't generally have.
What the new guidance should focus on is true two-factor or three-factor authentication. And let me be clear: An encrypted cookie or certificate on the computer is not two-factor (something you have) only because it can be easily compromised from the Internet rather than something that is on your possession.
Furthermore, to require a bank to monitor transactions puts the burden of responsibility on the bank. How can the bank determine what a good transaction is from a bad one if the originator properly authenticates? Yes, there is fraud detection monitoring software on the market but, I would argue its surety value is less than 100 percent. All it takes is one fraudulent transaction of a $500,000, and you're back in the headlines again with the bank holding the blame.
There are plenty of excellent technologies out there and most are intended to be used in layered approach. Already, I have seen banking customers scrutinize their banks for their security offering. Banks will see this as a competitive differentiator and look to satisfy these demands. It takes time. The lawsuits we have seen are not in vain. They will educate us. The bigger banks will lead the way and show the others which technologies and concepts work.
Regulators should also evaluate the rules governing ACH and wire transactions. Detecting fraud is one thing, but unwinding it is another. These rules need to change to allow better reversals of transactions when fraud does get through any of the controls.
For now, we are up to our brims with regulation. Let us continue the discussions but give it a year or two before we settle on specifics -- at least until we all understand factored authentication.