To Be or Not To Be Compliant? That is the Multi-Factor Question

Share Article

With the regulatory deadline for compliance now six months past, many U.S. financial institutions still have not implemented multi-factor authentication for their websites. Other institutions are now discovering that challenge / response or image-based systems they rushed to implement before the deadline fail to meet regulatory guidelines.

Once they understand the FFIEC's guidelines, PhishCops becomes the logical choice.

Sestus Data Company revealed today that the fastest growing segment of its multi-factor authentication customer base is comprised of organizations who had previously adopted challenge / response or site authentication image-based systems.

According to the company, while many U.S. financial institutions still have not implemented multi-factor authentication for their websites, others are now discovering that challenge / response or image-based systems they rushed to implement before the deadline fail to meet recent regulatory guidelines. Under the weight of increased regulatory scrutiny, these financial institutions are now turning to Sestus, one of only a handful of vendors whose products meet the regulatory definition of multi-factor authentication.

In August of 2006 the FFIEC published supplemental guidance in which it clarified what it considered to be true multi-factor authentication. In their supplement, the FFIEC wrote, "True multifactor authentication requires the use of solutions from two or more of the three categories of factors", i.e. something the user "knows" combined with something the user "has" or "is".

Such clarification was certainly needed. In the months before the FFIEC issued their supplemental guidance, a host of products had been introduced to the market promoting variations of the challenge / response approach to authentication, usually combined with image verification. Most notable of these was Passmark Sitekey, a company that rode to notoriety largely on the strength of its early adoption by Bank of America.

Challenge / response systems work by soliciting information in response to challenge questions. Some of these systems attempt to retrieve cookie files and other information previously stored on the user's computer, thus retrieving something the user "has". When this information cannot be found, as would be the case for millions of internet users who regularly clear their web browser's internet cache, these systems fall back on soliciting more of what the user "knows" in the form of challenge questions, such as "What is your mother's maiden name?" If answered correctly, they often display a pre-selected image to the user, supplying yet another piece of information the user "knows". Even the most successful challenge / response systems are therefore only occasionally multi-factor, an inconsistency that falls short of the regulatory requirements.

Many challenge / response systems make no pretense of retrieving anything the user "has" or "is", relying entirely on things the user "knows". They solicit login IDs, PINs, and personal information at different times in the process, obscure the entered information with on-screen keypads, dials, and sliders, and display pre-selected user images when complete. Their vendors assure ill-informed buyers that their products will satisfy the regulatory requirements and they cite well-known organizations such as Bank of America to substantiate their claims.

It might be well to remember, however, that Bank of America and most other early-adopters of challenge / response or site authentication image systems implemented those systems prior to the publication of the FFIEC's supplemental guidelines. Many are now struggling to bring their systems into compliance with these guidelines or are now seeking alternative approaches.

According to regulators, any process that does not consistently employ "two or more" authentication factors does not meet their definition of multi-factor authentication. Login IDs, passwords, mother's maiden names, favorite colors, credentials entered through scrambled keypads, captchas, site-authentication images, etc. all are things that users "know", regardless of how they may be solicited, entered, or viewed. Unless they can be combined with something the user "has" or "is", they fail to meet the compliance test.

In their August supplement, the FFIEC warned against relying on such approaches when they noted, "Using multiple solutions from the same category at different points in the process may be part of a layered security or other compensating control approach, but it would not constitute multi-factor authentication".

In addition to failing to meet the regulatory definition of multi-factor authentication, financial organizations that require their members to disclose personal information for authentication purposes may actually be compounding the online security problem. The Washington Post reported last year on a new type of phishing attack against Bank of America's Sitekey system that was apparently designed for the sole purpose of harvesting personal information from the bank's members, capitalizing on that bank's challenge / response login process.

More recently, the New York Times reported on a study conducted by researchers at MIT and Harvard in which such approaches were denounced as being "fundamentally flawed". The researchers expressed concern that, by their reliance on solicited personal information and user images which can be solicited by fraudsters as easily as by their legitimate organizations, such systems "might actually detract from security by giving users a false sense of confidence."

The FFIEC has yet to begin enforcing its multi-factor requirements, but pressure is beginning to be felt. While some organizations appear to be in denial, relying on the advice of ill-informed peers and vendor assurances, many others are now abandoning their challenge / response and site authentication image systems, or are looking for ways to bring these into compliance before the hammer falls.

"The fastest growing segment of our customer base is comprised of companies that adopted image-based or challenge / response systems one year ago", says T. Eric Willis, President & CEO of Sestus Data Company, one of the few companies whose product, PhishCops, actually meets the regulatory definition of multi-factor authentication. Says Willis, "They call us because their current systems are either too difficult to support, too confusing for their customers to use, or fail to meet the regulatory definition of multi-factor authentication." Willis continues, "Once they understand the FFIEC's guidelines, PhishCops becomes the logical choice."

PhishCops is based on government-approved authentication methods and the U.S. government has recognized PhishCops for its breakthrough in multi-factor authentication, naming it a semi-finalist for the Homeland Security Award. It is also a recipient of the InfoWorld 100 Award, InfoWorld Magazine's highest honor for technical innovation.

PhishCops enjoys an enviable reputation in the market, both with organizations and consumers. The company credits its positive reception to its patent-pending approach to authentication which never solicits personal information. Willis asserts, "Consumers should never be required to divulge personal information to access their accounts. After all, the whole point of the new guidelines is to protect consumer privacy, not require consumers to divulge yet more personal information."

PhishCops meets the regulatory definition of multi-factor authentication while simultaneously avoiding soliciting personal information. This is good news for organizations struggling to comply with regulatory guidelines. It is also good news for consumers who value their privacy in an increasingly insecure online world.


Share article on social media or email:

View article via:

Pdf Print

Contact Author


(800) 788-1927
Email >