October 21st, 2005, 04:49 AM
Banks get new online authentication guidelines
Biometric systems, tokens and one-time passwords are possible solutions
With the clock ticking for banks to implement new federal guidelines that call for stronger user authentication during online transactions, the industry's attention is shifting to the technology options available to meet the requirements.
The Federal Financial Institutions Examination Council (FFIEC) last week released new guidelines aimed at overhauling security in Internet-based banking and financial services. The guidance, titled "Authentication in an Internet Banking Environment," calls on banks to upgrade current single-factor authentication processes -- typically based on user name and passwords -- with a stronger, second form of authentication by the end of 2006.
The FFIEC guidance leaves it up to the banks to choose which kind of authentication to implement, but lists several that are now available, including biometric systems, tokens, and one-time passwords.
The FFIEC is an interagency council set up to develop standards for the federal auditing of financial institutions by bodies such as the Federal Reserve System and the Federal Deposit Insurance Corp. (FDIC).
The new guidelines are not a law, but are more like best practices that banks will be audited against by the end of 2006, a spokesman from the Federal Reserve said. At that time, federal examiners will begin documenting situations where financial institutions are not yet in compliance, he said.
"I'm not a big fan of regulations in general, but this one has the right intent," said Kevin Doyle, information security officer at Pennsylvania State Employees Credit Union (PSECU) in Harrisburg. "Online threats are going more and more toward the end users, and the FFIEC is simply reacting to that trend."
The key for banks is to make sure they choose the right authentication approach to comply with the requirements, said Robert Garigue, chief information security officer at the Bank of Montreal in Toronto. "There is no one single technology that is appropriate for all your authentication and authorization needs," he said. "You have to look at it in the context of the business value at risk," as well as consumer friendliness of the authentication technology.
\"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster
October 21st, 2005, 07:22 AM
I believe this is a step in the right direction but, this will also create more work for the tech support people lol... the more complicated you make it the less average users will understand it. and if someone REALLY wants your info this isnt gonna stop them. but it is a step in the right direction
October 21st, 2005, 03:56 PM
I just recently worked for the number two bank in the country on tresury services...I know that by january all of the high end customers are goign to be reciveing rsa tolkens for security. No idea how long this will take to trickel down to nonmultimillion dollar customers.
Who is more trustworthy then all of the gurus or Buddha’s?