I'm sick of reading regulatory advice from vendors. Everybody's getting "suited up" and ready to leap on board the "two factor" bus because of the recent FFIEC authentication guidance. Every tired authentication vendor seems to have come out of hibernation to wave around a copy of this year's FFIEC authentication guidance and extoll the virtues of two-factor authentication. I think vendors need to stop doing this for once and for all.
A quick search in Google news shows announcements specifically mentioning the FFIEC guidance by TriCipher, by PassMark, by BioPassword, by Callingid, by Entrust, and by ActiveIdentity (nee ActiveCard). Whew, that's quite a list; I've never even heard of some of these people. Yes, vendors are clinging to the FFIEC report like it's a winning powerball ticket.
The language in these press releases is carefully chosen and in some cases quite deceptive; the implication is that two-factor is 1) a requirement for compliance and 2) that somehow the report recommends specific approaches. Check these out:
- "...provides a variety of two factor authentication methods that meet FFIEC guidance" [TriCipher]
- "...delivers the capabilities examiners will now look for, a second factor for authentication..." [PassMark]
- "The new guidance ... require[s] strong authentication when a customer logs into his bank account over the Internet." [CallingID]
Clearly, there is an agenda at work. Like almost every other piece of regulatory guidance out there, the notion that the vendors would like to install in the buying public is: buy our product and you're compliant.
My opinion about two-factor authentication is unchanged - that unless something major happens in the industry that it's not going to be economically feasible for large-scale deployment - particularly in retail banking (or retail brokerage for that matter.) In order to justify my stagnation, I need only draw on the primary sources. Here's the relevant passage from the 2005 guidance:
- "Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks."
This is not a mandate; "where it's indicated" means not every case and two-factor authentication is only one option - the others are "layered security" or "other controls." I have a firewall, does that count as "another control?" Does the fact that I'm sitting at a secure terminal on my bank's premisis count as "reasonably calculated mitigation?" Once again, this is not prescriptive - nor should it be. The FFIEC is creating a framework within which FS can operate; they are not drastically changing the technology landscape for every bank out there.
But wait isn't there more, you ask? What about all that stuff in the "background" section (pages 2-3) about the different factors and "what you have, what you know", etc. There's a reason for that. This is from the 2005 guidance:
Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods. Accordingly, properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents.
By stark contrast, this is from the 2001 guidance:
Authentication methods that depend on more than one factor typically are more difficult to compromise than single factor systems. Accordingly, properly designed and implemented multi- factor authentication methods are more reliable indicators of authentication and stronger fraud deterrents."
With the exception of the omission of "typically" and the addition of "of authentication", these two passages are repeated verbatim. 2005: "There are a variety of technologies and methodologies financial institutions can use to authenticate customers..." - 2001: "There are a variety of authentication tools and methodologies financial institutions can use to authenticate customers. " Etc., etc., etc.
Look - the point is that they've been saying this since 2001 and you don't see two-factor all over the place in bankerage. Actually, I don't know of any bank - with the exception of Bank of America - that's actually trying to do two-factor authentication for retail; and BoA has some extenuating circumstances. Actually, in 2001, the FFIEC specifically said, "In general, multi-factor authentication methods should be used on higher risk systems." This section has been omitted in the 2005 guidance (or maybe they just moved it so that I can't find it.)
Anyway, thus concludes my rant... From now on, I'm going to strategically ignore vendors that quote the FFIEC; I recommend others (particularly practitioners in Financial Services) do the same... I have no beef with the FFIEC; I think they do what they do very well; however I'm starting to question it when vendors try to make a regulatory play...
Posted by Ed at November 10, 2005 09:26 AM