July 19, 2022

Authentication and Access to Financial Institution Services and Systems


7/19/22 - The risk based FFIEC Internet banking authentication guidance has evolved over the years, and what started as simple customer authentication guidelines has progressed into a set of standards that institutions can use to help protect information systems, accounts, and data.

Laying the foundation for customer authentication was the 2005 "Authentication in an Internet Banking Environment" (https://www.ffiec.gov/pdf/authentication_guidance.pdf) which included:

  • The level of authentication used by a financial institution in a particular application should be appropriate to the level of risk in that application.
  • An effective authentication method should have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans.
  • The security of shared secret (i.e., password) processes can be enhanced with the requirement for periodic change. Shared secrets that never change are described as “static” and the risk of compromise increases over time.

The 2011 "Supplement to Authentication in an Internet Banking Environment"
(https://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf) supplements the 2005 guidance with additional requirements regarding layered security, such as IP filtering, device identification, multi-factor authentication (MFA), security/challenge questions, out-of-band verification, fraud detection and monitoring, and enhancing customer education. The supplement also included the need to detect and respond to suspicious activity.

Fast forward to the current August 2021 release "Authentication and Access to Financial Institution Services and Systems" (https://www.ffiec.gov/press/PDF/Authentication-and-Access-to-Financial-Institution-Services-and-Systems.pdf) This replaces all prior guidance and sets a new foundation recognizing that “authentication considerations have extended beyond customers and include employees, third parties, and system-to-system communications.”

In addition to high-risk transactions (e.g., wires, cash management), all high-risk users (e.g., employees accessing customer information, system admins) are now included in the layered security guidance that “can include, but are not limited to, MFA, user time-out, system hardening, network segmentation, monitoring processes, and transaction amount limits."

Aligning with NIST 800-63B guidance, periodic password changes are also no longer considered necessary for consumer and commercial Internet banking where the institution is applying appropriate authentication methods, and monitoring and acting on anomalies. This scales nicely to customer Internet banking transactions where monitoring and anomaly detection controls are typically integrated into the service. One benefit to this change is that password expiration typically presents significant customer resistance, aka "My other bank never made me change my password," and requires more support effort with little benefit to security. Note that unlike the prior guidance, the reference to “customer acceptance” of authentication methods is no longer included.

It is important to note that for employee access, such as network logins, strong controls such as MFA and the ability to “determining if attempted or realized unauthorized access to information systems and accounts has occurred” are not found in many environments historically, as they require significant resources to research, implement, and monitor. Given this FFIEC guidance, as well as pressure from outside forces such as the cybersecurity insurance industry, institutions should already be working towards implementing these stronger controls. Where adequate controls are absent, 10-D Security will continue to recommend that institutions consider 10+ character passwords with a 90-day expiration date for all employee user accounts.

The natural progression of the FFIEC authentication guidance has recognized that risks to customers and institutions change over time, and addressing those risks requires additional controls and methods. To keep up, steady improvements must be made

Additional reading:
FFIEC IT Examination Handbook, “Information Security” booklet, section II.C.15(c) (“Remote Access”), and section II.C.16 (“Customer Remote Access to Financial Services”) for information about layered security.

PDF Icon  Download Blog

Authored By: David Matt, CISSP, CEH

Keep your institution off the evening news.

Contact Us