Banks get new online authentication guidelines

Computerworld - With the clock ticking for banks to implement new federal guidelines that call for stronger user authentication during online transactions, the industry's attention is shifting to the technology options available to meet the requirements.
The Federal Financial Institutions Examination Council (FFIEC) last week released new guidelines aimed at overhauling security in Internet-based banking and financial services. The guidance, titled "Authentication in an Internet Banking Environment," calls on banks to upgrade current single-factor authentication processes -- typically based on user name and passwords -- with a stronger, second form of authentication by the end of 2006.
The FFIEC guidance leaves it up to the banks to choose which kind of authentication to implement, but lists several that are now available, including biometric systems, tokens, and one-time passwords.
The FFIEC is an interagency council set up to develop standards for the federal auditing of financial institutions by bodies such as the Federal Reserve System and the Federal Deposit Insurance Corp. (FDIC).
The new guidelines are not a law, but are more like best practices that banks will be audited against by the end of 2006, a spokesman from the Federal Reserve said. At that time, federal examiners will begin documenting situations where financial institutions are not yet in compliance, he said.
"I'm not a big fan of regulations in general, but this one has the right intent," said Kevin Doyle, information security officer at Pennsylvania State Employees Credit Union (PSECU) in Harrisburg. "Online threats are going more and more toward the end users, and the FFIEC is simply reacting to that trend."
The key for banks is to make sure they choose the right authentication approach to comply with the requirements, said Robert Garigue, chief information security officer at the Bank of Montreal in Toronto. "There is no one single technology that is appropriate for all your authentication and authorization needs," he said. "You have to look at it in the context of the business value at risk," as well as consumer friendliness of the authentication technology.

Token-based authentication, for instance, is relatively expensive to implement, said Naftali Bennet, CEO of Cyota Inc. a vendor of antifraud services to the banking industry based in New York.
That's one of the reasons why San Francisco-based Bank of the West is looking at other options. "It's a cost-benefit issue, and trying to make sure you don't put any additional inconveniences on your customers," said Donald Duggan, the chief technology officer at the bank, which manages $41 billion in assets.
"My own personal viewpoint is