Single-factor authentication is insufficient for online financial services, according to the Federal Financial Institutions Examination Council (FFIEC). In its recently updated guidelines, "Authentication in an Internet Banking Environment" -which address the risks to Web-based financial services customers and risk management controls for ID authentication - the FFIEC recommends financial services firms use multifactor authentication, such as password-generating token devices, for online activity. The SEC also released an investor guide urging multifactor authentication.
The FFIEC issued the report in response to the increased sophistication of threats and the resulting higher risk to online users. It recommends stronger authentication systems to support compliance with regulations regarding the protection of customer data, and the prevention of money laundering and terrorist financing; to prevent fraud and identity theft; and to promote legal enforceability of financial institutions' electronic transactions.
The report recommends that deployment of multifactor authentication solutions be based on the assessed risk associated with electronic financial services and products. Areas that the report suggests should be risk-mitigation priorities include account origination and customer verification, monitoring and reporting, and customer awareness. According to the report, financial services firms should implement multifactor authentication by the end of 2006.
On The Net