On Tuesday the US banking regulator, the Federal Financial Institutions Examination Council (FFIEC), set out its expectations to improve internet banking authentication standards. While the FFIEC calls for, amongst other measures, layered security and more sophisticated one-time cookies where device identification is used, there is notably no mention of strong authentication in their new document.
Strong authentication is already widely implemented in the UK and Scandinavia through the use of tokens and various devices to support card-not-present transactions such as Mastercard’s EMV-CAP card readers.
In the past internet banking in the US has generally not made use of strong authentication, which might explain the term’s absence in the FFIEC’s document, but its use has proven highly effective in other geographies.
Banks recognise that not all customers find using tokens convenient. However, mobile-based tokens or out-of-band verification could be a solution as a practical means of providing strong authentication without the need for users to carry tokens or card readers.
Overall the new guidelines are disappointing. While they do contain some good direction on the use of ‘challenge questions’ for example, they focus too much on good practice for security measures used by banks today rather than on measures that might dramatically improve online banking security.