Will SOX and GLBA Soon Require Strong Authentication?

When I go to my bank’s online web site to access my bank accounts, I only have to provide a login and password. While the web session is somewhat protected via Secure Socket Layer (SSL), that only provides encryption for the data that travels over the Internet between my computer and the bank’s. It’s not enough security to fully protect my online banking activities.

Weak authentication is characterized by the typical login and password method described above. The only thing the consumer must remember is their password. The login ID is given to, or initially created by the customer and therefore it remains the same.

A simple keylogger program unknowingly installed on the consumers computer by a virus or trojan can capture the keystrokes used to log in to accounts. These programs can then e-mail your login and password to a hacker without the consumer ever suspecting that the information was stolen.

Strong authentication, as opposed to weak authentication, requires at least two of the following three things when logging into an account, something the person knows, something the person possess, or something the person is. This is why Strong authentication is also referred to as multiple-factor authentication. One example might be the use of your ATM or bank card. Something you know is your pin and something you have is your card.

The Federal Deposit Insurance Corporation (FDIC) issued a guidance letter to financial institutions on October 12, 2005 expects compliance to these guidelines by year’s end 2006. The letter states that single-factor authentication (password only) is considered to be “inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.” This means that financial institutions are going to have to revamp their current authentication schemes and move towards multiple-factor authentication methods such as one-time passwords, smart cards, digital certificates, biometric identification, etc.

Gramm-Leach-Bliley Act (GLBA) requires U.S. financial institutions to ensure the security and confidentiality of customer records. Section 404 of the Sarbanes-Oxley Act (SOX) requires the CEO and CFO of publicly traded companies to certify the effectiveness of the organization’s internal controls. Currently, no specifics have been intergrated into these Acts about how this Authentication should be achieved.

Therefore, there is a direct correlation between the need to improve authentication methods and compliance to Sarbanes Oxley, however, it may not be the institutions strongest motivator. This movement among financial institutions to provide stronger methods of authentication for their customers is due not only to law, by reputation, compliance, and most importantly, insurance purposes. Reputation and being able to recover from a failure or security breech (with the aid of insurance) are far more powerful motivators than fear of financial penalties related to SOX audit failures.

However, does it make sense to amend federal law for such specific types of authentication? The devil is in the details, as they say. Technology changes so swiftly that it would be too cumbersome and impractical to legislate such things as types of authentication methods.

Who knows? Maybe two and three–factor authentication will become a thing of the past and five–factor authentication will take its place. The same issue with encryption has been encountered over the years. Encryption algorithms have had to be continuously strengthened and improved. For example, 128 bit encryption is easily cracked and is no longer considered a secure level of encryption. With this example in mind, does it make sense for law to be involved in the technological details? I think not. The law should stay focused on making sure that “inappropriate access and unauthorized use” is not tolerated, and the technologists focuses on how to achieve these goals.

While we may not expect the federal law to change specifically, it may be wise to expect customers to demand best practices, and legislation to require to conformation to these best practices. Best practices are defined by such organizations as the IT Governance Institute (ITGI) established in 1998 to “advance the international thinking and standards in directing and controlling an enterprise’s information technology,” and also by organizations such as the Information Systems Audit and Control Association (ISACA), the leading association of professionals in information systems, audit, control, security and governance. Financial organizations would be well served by involving technologists in the governance process from the very beginning. By doing so, organizations will be more able to easily understand how, for example, a migration to multiple –factor authentication can be effectively achieved.


About the Author

Marcia J. Wilson, CISSP, CISM

Marcia J. Wilson is an Information Security Professional and a freelance writer. Her expertise includes network security assessments, information security policy and procedure development, business continuity and disaster recovery planning as well as security awareness training for small and medium sized companies.




Around the Network