The following analysis of the FFIEC Multi-Factor Authentication Guidance is the work of the author and expresses the author’s analysis of the publicly-released guidance from the FFIEC.  Opinions and conclusions in this analysis are those of the author and are not derived or associated with any other person or business entity.

A sample of a basic, generic Multi-Factor Authentication (MFA) risk assessment can be found here.

The goals of the FFIEC MFA Guidance is to prevent identity theft and financial fraud from the misuse of customer-facing online banking applications.

The FFIEC issued the most recent MFA guidance in 2005.  It is up to each federal financial regulator to adopt and enforce it. This analysis is based on the Office of the Comptroller of the Currency (OCC) promulgation of the guidance only. For OTS, FDIC, etc. please see the respective regulator websites.

The OCC promulgated the FFIEC MFA guidance in the 35th OCC bulletin of 2005, consisting of an OCC cover page on the FFIEC Guidance entitled “Authentication in an Internet Banking Environment.”   This guidance supersedes the previous OCC guidance letter of 2001, including the FFIEC Guidance issued under that cover.  This commentary pertains to the OCC-related enforcement only.  Finally, a set of Frequently Asked Questions and Answers was published in 2006.

The scope of the guidance is narrowly applicable to the following types of financial transactions:

1. The transaction is customer-initiated and occurs over the Internet, (called “e-banking” by the guidance),
2. The transaction either allows the customer access to their own confidential information,
3. Or allows the movement of funds to other parties.

The Guidance does not mandate the use of multi-factor authentication but does state that the regulatory agencies believe single-factor authentication for the above types of transactions is not enough.  The guidance mandates the use of a “risk assessment” of the above types of transactions, followed by the selection of controls suitable to mitigate the risk.  The guidance, much like the jointly-issued  ”Interagency Guidance Establishing Information Security Standards” (12 CFR Pt. 30, App. B)promulgating the Gramm-Leach-Bliley security rule, relies on the performance of a “risk assessment” as a precursor to control selection. (Click here for a discussion on the inherent difficulties and vagaries of risk assessments.)

The guidance highlights three general categories of controls for addressing the risk of customer-driven, e-banking activities

1. True Multi-Factor Authentication
2. Layered Security Controls
3. Other Controls

Knowing that true multi-factor authentication consists of possession of two of the three authenticators (something you have, something you know, or something you are,) what exactly constitutes the “layered security” and “other controls?”

“Layered Security” consists of a complementary set of controls that might include some of the technologies as defined in the Appendix of the  Guidance:

• Out-of-band Authentication
• IP Address Location and Geo-Location
• Mutual Authentication
• Customer Verification Techniques

“Other controls”consists of a complementary set of controls that when taken in total, effectively mitigate the risk posed by the threats to e-banking activities. The “other controls” language allows for a significantly compelling case to be made, specific to an application, circumstances, business process, financial institution-specific scenario where neither multi-factor nor layered security is necessary.  This approach is familiar to information security practitioners as “defense in depth.”

In summary, the degree to which the Multi-Factor Authentication guidance demands true multi-factor authentication, or some lesser approach, is largely played out in the hands of individual bank examiners as they conduct assessments on existing authentication mechanisms in place over “e-banking” applications.  The Guidance is worded loosely enough as to not mandate MFA in favor of other approaches that are justifiable given unique situations and circumstances.

FFIEC Guidance on Multi-factor Authentication in an Internet Banking Environment

1. http://www.ffiec.gov/pdf/authentication_guidance.pdf
2. http://www.ffiec.gov/pdf/authentication_faq.pdf

Highlights from the Guidance

OCC Cover Letter:  “Examiners should begin to assess national banks’ progress in meeting the expectations outlined in the guidance and, thereafter, monitor ongoing conformance as needed during the risk-based supervisory process. Banks are expected to have achieved conformance with the guidance by year-end 2006.”

FFIEC Guidance:  “The selection and use of authentication technologies and methods should depend upon the results of the financial institution’s risk assessment process.

“Existing authentication methodologies involve three basic “factors”:

• Something the user knows (e.g., password, PIN);
• Something the user has (e.g., ATM card, smart card); and
• Something the user is (e.g., biometric characteristic, such as a fingerprint).•

“The risk should be evaluated in light of:

• the type of customer (e.g., retail or commercial);
• the customer transactional capabilities (e.g., bill payment, wire transfer, loan origination);
• the sensitivity of customer information being communicated to both the institution and the customer;
• the ease of using the communication method; and
• the volume of transactions.

“A comprehensive approach to authentication requires development of, and adherence to, the institution’s information security standards, integration of authentication processes within the overall information security framework, risk assessments within lines of businesses supporting selection of authentication tools, and central authority for oversight and risk monitoring. This authentication process should be consistent with and support the financial institution’s overall security and risk management programs.

“The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation.

“The risk assessment process should:

• Identify all transactions and levels of access associated with Internet-based customer products and services;
• Identify and assess the risk mitigation techniques, including authentication methodologies, employed for each transaction type and level of access; and
• Include the ability to gauge the effectiveness of risk mitigation techniques for current and changing risk factors for each transaction type and level of access.

Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment, August 15, 2006

Jointly developed by the Agencies, including the OCC.   http://www.ffiec.gov/pdf/authentication_faq.pdf

Of particular interest is FAQ #5:  “Does the guidance require the use of multifactor authentication?”

“Answer: No, the guidance does not call for the use of multifactor authentication. The use of multifactor authentication is one of several methods that can be used to mitigate risk as discussed in the guidance. However, the guidance identifies circumstances under which the Agencies would view the use of single-factor authentication as the only control mechanism as inadequate and conclude that additional risk mitigation is warranted.”

FAQ #10: “Are the Agencies recommending multifactor authentication over layered security or other compensating controls?”

Answer: “No, any of these controls may be an effective method to mitigate risk in accordance with the guidance, if properly implemented.”

FAQ #11: “Are there banking applications where single-factor authentication as the only control mechanism would be adequate?”

Answer: “Single-factor authentication alone would be adequate for electronic banking applications that do not process high-risk transactions, e.g., systems that do not allow funds to be transferred to other parties or that do not permit access to customer information.”

FAQ #14: “Can an institution perform a risk assessment and conclude that stronger authentication is not warranted?”

Answer: “An institution’s risk assessment may conclude that existing controls are appropriate. However, such a conclusion would not be justified if the institution’s electronic banking systems use single-factor authentication as their only control for high-risk transactions involving access to customer information or the movement of funds to other parties.”

Appendix:  Summary of the old 2001 OCC Advisory Letter on Multi-Factor Authentication (emphasis added):

The eighth OCC advisory letter of 2001, consists of an OCC cover page on the FFIEC Guidance on “Authentication in and Electronic Banking Environment.” The cover letter declares the OCC’s intent to use this FFIEC guidance as a benchmark against which it will examine banks. Key language includes:

Cover letter

“Financial institutions should use this guidance when evaluating and implementing authentication systems and practices, whether they are provided internally or by a third-party service provider. The OCC expects financial institutions to assess the risks to the institution and its customers and to implement appropriate authentication methods in order to manage risk effectively. Examiners will use this guidance to evaluate the effectiveness of authentication controls in banks and thirdparty service providers.”FFIEC Guidance

“Existing authentication methodologies involve three basic “factors”:

• something the user knows (e.g., password, PIN);
• something the user possesses (e.g., ATM card, smart card); and
• something the user is (e.g., biometric characteristic, such as a fingerprint or retinal pattern).”

“[T]he level of authentication used by a financial institution in a particular application should be appropriate to the level of risk in that application. The risk should be evaluated in light of:

• the type of customer (e.g., retail or commercial);
• the institution’s transactional capabilities (e.g., bill payment, wire transfer, loan origination);
• the sensitivity and value of the stored information to both the institution and the customer;
• the ease of using the method; and
• the size and volume of transactions.”

“The method of authentication used in a specific electronic application should be appropriate and “commercially reasonable” in light of the reasonably foreseeable risks in that application.

“The agencies caution financial institutions that single factor authentication alone may not be commercially reasonable or adequate for high risk applications and transactions. Instead, multi-factor techniques may be necessary. Institutions should recognize that a single factor system may be “tiered” to enhance security without implementing a two-factor system. A tiered single factor authentication system would include the use of multiple levels of a single factor (e.g., the use of two or more passwords or PINs employed at different points in the authentication process).

“The guidance includes a section regarding the risks and method of validating the identity of a NEW customer, exclusively through electronic channels. The guidance then covers the authentication of EXISTING customers via technologies such as: passwords, PINs, digital certificates and PKI, physical devices such as tokens, and biometrics.

“The guidance concludes with a section on monitoring and reporting, meant to enable the DETECTION of unauthorized access. Monitoring techniques given as examples include the following: For example, a financial institution could analyze the typical transactional activity of its customers to identify suspicious patterns. Financial institutions also can rely on other control methods, such as establishing transaction dollar limits for large items that require manual intervention to exceed the preset limit. In addition, financial institutions can monitor Internet Protocol (IP) addresses and other information to identify suspicious activity.”

http://www.ffiec.gov/ffiecinfobase/resources/elect_bank/occ-al2001-8_authentication_e-banking_envirt.pdf

“This interagency guidance reviews the risks and risk management features of a number of existing and emerging authentication tools. These tools are necessary to initially verify the identity of new customers and to authenticate existing customers that access electronic banking services.