Puzzled about the FFIEC Guidance?
 |
|
![[Entrust IdentityGuard logo]](/web/20060216102712im_/http://www.entrust.com/images/titles/entrust-identityguard.gif)
Strong Authentication Conforming to FFIEC Guidance
Entrust IdentityGuard is a risk-based strong authentication platform that enables you to layer security across your diverse users, transactions and applications. It is a common sense approach to strong authentication (read more in the white paper) that enables you to apply the right level of strong authentication tailored to the risk associated with the transaction that the user is performing.
Learn more about Entrust IdentityGuard for Online Consumer Security 
Looking Closer at the FFIEC Authentication Guidance
On October 12, 2005 the Federal Financial Institutions Examination Council (FFIEC) issued the updated guidance, "Authentication in an Internet Banking Environment." For banks offering Internet-based financial services, the guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using the on-line products and services. Examiners will review this area to determine a financial institution's progress in complying with this guidance during upcoming examinations.
The FFIEC Guidance asserts that:
"single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties… The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation."
The FFIEC Guidance also recommends:
"An effective authentication method should have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans."
Key Points from the Guidance:
- Financial institutions offering Internet-based products and services should use effective methods to authenticate the identity of customers using those products and services.
- Single-factor authentication methodologies (e.g. username/password) may not provide sufficient protection for Internet-based financial services since account fraud and identity attacks are frequently the result of single-factor authentication exploitation.
- The FFIEC agencies consider single-factor authentication, when used as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
- Risk assessments should provide the basis for determining an effective authentication strategy according to the risks associated with the various products and services available to on-line customers.
- Multifactor authentication methods (e.g. username/password plus one-time password grid card) are more difficult to compromise and therefore provide stronger fraud deterrents.
Multifactor Authentication Options:
Authentication technologies range from simple to complex and provide varying levels of security and costs of ownership. The key is to select the method that provides the appropriate level of security for the risk associated with financial products, accounts and transactions. Regardless, an effective authentication method should have:
- customer acceptance (ease of use, transparency)
- reliability of performance
- scalability to accommodate growth
- interoperability with existing systems and future plans
The multifactor authentication technologies described in the FFIEC guidance include the following:
Technology |
Description |
Entrust Solution |
More Information |
|---|---|---|---|
Shared secrets |
Queries that require specific knowledge to answer (amount of monthly mortgage payment) Customer selected images that must be identified from a pool of images |
YES |
User authentication and mutual authentication capabilities of the Entrust IdentityGuard strong authentication platform leverage knowledge-based authentication |
Tokens |
USB token device (with or without digital certificate) Smart card Password generating token (time synchronous) |
YES, plus... |
Entrust USB tokens can be used. The Entrust IdentityGuard solution offers several options which are significantly cheaper than the RSA SecurID password generating token. |
Biometrics (physical characteristic) |
Finger prints Iris configuration Facial configuration Voice pattern |
YES |
Yes, with Partner Integration |
Non-Hardware-Based One-Time-Password |
Grid card with coordinate lookup Scratch card |
YES, plus... |
Entrust IdentityGuard offers a wide range of options including security grid (patented) and OTP scratch card options integrated in a single strong authentication platform |
Out-of-Band Authentication |
Telephone call Email message SMS text message |
YES |
Multi-channel authentication supporting voice, email, SMS text messages, ATM/Kiosk and in-person authentication options |
Internet Protocol Address (IPA) Location and Geo-Location |
Profile with "IP intelligence" including location, domain name, proxies, etc. |
YES, plus... |
IPA is one aspect of the Entrust IdentityGuard machine authentication techniques for strong user authentication on multiple devices |
Mutual Authentication |
Authenticating web site to consumer via digital certificate, shared secret or image |
YES |
Entrust IdentityGuard offers several mutual authentication techniques |
The Entrust IdentityGuard strong authentication platform's innovative capabilities allow each party in an online transaction to be confident in the identity of the other while providing the flexibility to match the risk associated with the given transaction. Importantly, Entrust IdentityGuard has minimal impact on the user experience and is a fraction of the cost of conventional hardware tokens. In fact, the product has received strong reviews from numerous analysts, including Forrester in their recent report "What To Look for In Consumer Strong Authentication Solutions" and IDC Corporation in their recent Product Flash.
View the demo to see firsthand how Entrust IdentityGuard works
Talk to us about your strong authentication requirements.
- December 7: FDIC and Entrust on FFIEC Guidance
- Solving the Identity Theft Crisis: Can Consumer Confidence Be Restored?