FDA News

96% of U.S. Banks Failing to Implement FFIEC Multi-Factor Authentication: Study

(July 03, 2007)-- A study released last month by Sestus Data Company and BearingPoint Financial Services Information Security Group reports 96% of U.S. banks are failing to implement FFIEC-recommended multi-factor authentication, opting instead for authentication methods that solicit confidential information from consumers.

On August 15, 2006, the Federal Financial Institutions Examination Council (FFIEC) issued a Supplement in which it clarified what it considered to be true multi-factor authentication: "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category at different points in the process may be part of a layered security or other compensating control approach, but it would not constitute multifactor authentication."

The study evaluated a statistical sampling of 100 U.S. banks with published website statements asserting their belief in their compliance with FFIEC multi-factor authentication guidelines. The study analyzed the authentication methods employed by each bank to determine whether the sampled banks were, in fact, consistently employing "solutions from two or more of the three categories of factors", i.e. something the user knows, something the user has, or something the user is.

FINDINGS: WIDESPREAD NON-COMPLIANCE WITH REGULATORY GUIDELINES
According to the study, the U.S. banking industry appears to be ignoring or misinterpreting the FFIEC's multi-factor guidelines in favor of single-factor authentication methods that require consumers to divulge (previously undisclosed) confidential personal information in order to access their online accounts.

The study authors found, "1) overwhelming use of single-factor challenge/response, image-based, and other knowledge based authentication methods purporting to be multi-factor authentication, 2) numerous and varied mis-interpretations regarding the definition of "something the user has", and 3) a high probability for increasing online fraud and loss of consumer privacy as a result of widespread adoption of challenge/response and other knowledge-based systems."

According to the study:

64% of U.S. banks offer only single-factor authentication methods. Where they had previously solicited only logins and passwords, they now solicit additional information in the form of challenge questions. Apparently, these banks believe that by simply asking for MORE information, they are somehow meeting the regulatory definition of multi-factor authentication, a mistaken assumption which the FFIEC has already refuted.

26% of U.S. banks are adopting authentication methods which are "inconsistently multi-factor". These banks attempt to retrieve cookie file or other information in order to satisfy the "something the user has" authentication factor, however, when this information cannot be retrieved, these banks fall back on soliciting more of "something the user knows" in the form of challenge questions.

6% of U.S. banks do offer consistently multi-factor authentication methods as an option, but then permit their members to opt-out of using such methods. If the member chooses to opt-out, the bank employs only single-factor methods.

Only 4% of the sampled banks employed consistently multi-factor authentication methods.

STUDY PREDICTS LOSS OF CONSUMER PRIVACY WILL INCREASE
This study represents the first attempt to measure industry compliance with the FFIEC's multi-factor guidelines since their publication in 2005 and it presents a grim picture.

U.S. banks appear to be ignoring or misinterpreting the FFIEC's call for "true multi-factor authentication" in favor of authentication methods which will actually contribute to the loss of consumer privacy. The study warns, "The stage is being set for an online privacy crisis fueled by millions of pieces of previously-undisclosed personal information solicited by thousands of legitimate financial websites as well as by tens of thousands of fraudulent websites."

Share or bookmarklet this web page at: