Free Download     |     Resource Center    |     Customer Login
1.877.No.Token (1.877.668.6536)
Live Chat

FFIEC Authentication in an Internet Banking Environment Guidance

The Federal Financial Institutions Examination Council (FFIEC) is an interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions. In 2001, the FFIEC issued a guidance entitled Authentication in an Electronic Banking Environment, which was subsequently updated in 2005 as Authentication in an Internet Banking Environment. The guidance provided a recommended framework for evaluating risk and the application of authentication systems and practices.

A supplement to the FFIEC Guidance on Internet Banking Security, which was published in June 2011, provides an updated view of best practices for securing online banking based on today’s threat landscape. The concepts addressed in the supplement are widely recognized by the private sector to be critical to preventing online banking fraud. Examiners will begin using the enhanced expectations beginning in January 2012. These include:

Layered Security
The concept of Layered Security extends security controls beyond the initial session login to include online banking transactions and administrative functions. This is driven by an increase in real-time attacks that target transactions, such as ACH, wire transfer, and payroll payments. A high level of importance has been placed on identifying suspicious transactions. To minimize the impact on customers, this must be coupled with an easy and effective means for customers to approve legitimate transactions. For many, this involves migrating away from OTP tokens, which the FFIEC points out have proven to be vulnerable to attack. Instead, financial institutions will need to look to methods like fully out-of-band technologies that can be used to verify logins, transactions, and administrative functions and offer protection from keyloggers and MITM/MITB attacks.

Stronger Authentication Methods
In addition, the updated guidance calls for an overall strengthening of authentication technologies. It notes that out-of-band authentication has taken on a new level of importance given the preponderance of malware running on customer PCs, which can defeat OTP tokens, device identification, challenge questions, and many other forms of strong authentication. In particular, closed loop methods that complete the authentication in an out-of-band channel are seen as offering a greater level of security.

The guidance specifically points to out-of-band authentication as an effective control against these attacks, and recommends use of both dual customer authorization through different access devices and the use of out-of-band verification for transactions.

PhoneFactor Offers Rapid, Cost Effective Compliance with FFIEC

PhoneFactor enables banks to meet these requirements by authenticating online banking logins and verifying funds transfers, such as ACH, wire transfers, etc., though a completely out-of-band process using any ordinary phone. PhoneFactor works by placing an automated phone call, sending a text message, or pushing a notification to an app on the user’s smartphone when a transaction is initiated. Transaction details like amount and destination account can be presented during the authentication. The user simply enters # (or a PIN) into the phone keypad, replies to a text message, or taps “Authenticate” in the phone app to approve legitimate logins and transactions.

PhoneFactor can also be used to verify administrative functions, such as the creation of new payees, user changes, and payroll modifications. In addition, the updated Guidance identified emerging trends like biometrics and the use of dual controls, which PhoneFactor offers as well.

PhoneFactor is trusted by leading banks and financial institutions to meet FFIEC and other industry regulatory requirements for strong authentication. PhoneFactor’s unique Universal Banking Gateway enables instant integration with any online banking platform, even hosted solutions. No custom coding is required. The system is easy to set up, automates user enrollment, and requires very little ongoing maintenance.

Learn more about out-of-band authentication, including its role in addressing the latest FFIEC Guidance in the whitepaper, 2011 FFIEC Authentication Guidance: A New Standard For Online Banking Security.

 

 

Solutions

   Terms  |  Sitemap  |  Support  |  Contact               

PhoneFactor, Inc provides secure two-factor authentication services to leading companies worldwide. PhoneFactor's multifactor out-of-band authentication software is a cost effective, user friendly alternative to security tokens, fobs, certificates, and other 2 factor authentication methods.
Secure User Authentication: SSL VPN Authentication | Citrix Authentication | Web Authentication | Terminal Services Authentication | Tivoli Authentication | Online Banking Authentication
Two-Factor Authentication for Regulatory Compliance: Payment Card Industry Data Security Standards (PCI DSS) Compliance | FFIEC Compliance | HIPAA Compliance | NIST 800-63
Compare Phone Authentication to: Security Tokens | SMS Authentication | Biometric Authentication | Soft Tokens | Smart Cards | Certificates