Hey, Hey. I leave the country for a couple of weeks and all of a sudden the financial services industry, as represented by its regulators, wakes up to the need for strong authentication!
First the FFIEC a hitheroto unheard of interagency group comes up with a guideline entitled "Authentication in an Internet Banking Environment" (Download the PDF.)
It clearly states the case for strong authentication but falls short of mandating anything. But a stake has been driven into the ground.
The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
The "agencies" are the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision.
The guidance document wraps up with:
Financial institutions should conduct a risk assessment to identify the types and levels of risk associated with their Internet banking applications. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.
A lot of wiggle room there. I expect to see all sorts of server side attempts to avoid the necessity of deploying tokens to everyone. But even so, this is a strong level of guidance. Better for banks to act now than to wait for a regulation on top of this.
This response as reported by Brian Bergstein of the Associated Press is not unexpected.
Cost-conscious U.S. banks are unlikely to go as far. Instead, they'll probably perform tweaks inside their own Web servers that most of us will barely notice.
"We're trying to come up with something here that's very user-friendly," said Jim Maloney, chief security executive of Corillian Corp., a Web-banking services company that offers login-analysis software.
Real motion to protect online assets will only occur when some online bank starts to garner a remarkable percentage of clients by selling trust and security. Then the me-too banking industry will fall into step.