10 Years in the Making: Financial Regulators Update FFIEC Authentication Guidance
For the first time in a decade, the U.S. Federal Financial Institutions Examination Council (FFIEC) updated its Authentication and Access to Financial Institution Services and Systems Guidance on August 11, 2021. If 10 years between updates seems long, it is. A decade ago, dynamics around cybersecurity, information security, and risk assessment were different.
Ransomware did not exist and knowledge-based verification (KBV), where an individual is presented with a list of questions to verify their identity in advance of being issued authentication credentials, was the norm and for the most part, trusted.
The FFIEC is a formal interagency body comprised of the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). The FFIEC is tasked “to make recommendations to promote uniformity in the supervision of financial institutions.”
The FFIEC’s Guidance applies to regulated financial institutions (FIs) and third parties that provide access to information systems and authentication controls on behalf of the FI. Per the Guidance, the “principles and practices address business and consumer customers, employees, and third parties that access digital banking services and financial institution information systems.”
Highlights from the FFIEC’s New Guidance
The FFIEC recommends that FIs should identify their users and customers who warrant authentication and access management controls as well as those users and customers who may require more stringent authentication controls, like multi-factor authentication (MFA).
Appropriately, the FFIEC alerts regulated FIs that single factor authentication, typically something one knows such as a username and static password, is insufficient. It states that: “Attacks against systems and users protected with single-factor authentication often lead to unauthorized access resulting in data theft or destruction, adverse impacts from ransomware, customer account fraud, and identity theft. Accordingly, use of single-factor authentication as the only control mechanism has shown to be inadequate against these threats.”
The Guidance also adds that “...malicious activity resulting in compromise of customer and user accounts and information system security has shown that single-factor authentication, either alone or in combination with layered security, is inadequate in many situations.”
This is supported by a presentation at the 2020 FedID Forum by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN). FinCEN described how criminals exploit weaknesses in identity systems to commit more than $1 billion each month in cybercrime. Prime targets for weak authentication include business email compromise (BEC), which accounts for $433 million in losses per month, closely followed by account takeover attacks (ATO) stealing $350 million per month.
Further, the FFIEC appropriately notes that not all MFA solutions offer equal usability and security. It points out that “certain MFA factors may be susceptible to ‘Man in the Middle’ (MIM) attacks, such as when a hacker intercepts a one-time security code sent to a customer.” This is true as NIST uses this example in its Digital Identity Guidelines: Authentication and Lifecycle Management (Special Publication 800-63B). In July 2020, NIST published Special Publication 800-63: Digital Identity Guidelines FAQs reminding readers that SMS-OTP is a “restricted” authenticator.
While the updated guidance covers the expanding threat landscape and cites that digital banking has expanded via smartphone apps, mobile computing, and other technologies, they miss an opportunity to recommend that FIs secure their applications from malware, preventing tampering and debugging and securing their mobile app even on jailbroken, rooted, and potentially compromised devices.
Section 11: Identity Verification
Section 11 of the Guidance focuses on identity verification, a critical component of Know Your Customer (KYC) regulations. It notes that, “Verification methods that detect fraudulent activities, such as synthetic identities and instances of impersonation, have been shown to be effective in minimizing risk associated with identity verification.” This is especially critical considering that in the above-mentioned FinCEN presentation, identity theft and synthetic identity fraud now account for US$256 million in cybercrime each month.
The FFIEC stresses that “reliable verification methods generally do not depend solely on knowledge-based questions to verify identity.” We agree and recommend digital identity verification methods such as ID document verification and facial comparison.
These technologies are seeing rapid adoption due to the pandemic. While the pandemic forced financial institutions to remotely onboard new customers, the timing of the 2018 Economic Growth, Regulatory Relief, and Consumer Protection Act permitted many FIs to continue to acquire new customers outside of a branch and without the need for emergency legislation. Section 213 of the Act permits the use of a scanned driver’s license or other government issued identity card verified to be authentic and combined with verifying the individual, which could include KBV and matching the photo on the driver’s license to a selfie taken on one’s mobile phone during the application process. This leverages facial matching technology, and the process satisfies the FFIEC’s requirements.
Evaluating Authentication Solutions
To assist FIs in selecting appropriate authentication solutions for their level of risk, the Guidance includes an Appendix that lists key authentication options, such as:
- Device-based Public Key Infrastructure (PKI) Authentication: The prime example of this are solutions certified by the Fast Identity Online (FIDO) Alliance conforming to the Alliance’s specifications. Although the FFIEC does not specifically name FIDO, it does footnote NIST’s Special Publication 1800-17, Multifactor Authentication for E-Commerce: Risk-Based, FIDO Universal Second Factor Implementations for Purchasers.
- One-time Passwords (OTPs) using specific hardware or a mobile app. (Note, this is not the same as SMS-OTP.)
- Behavioral Biometrics: This authentication technology analyzes how an individual interacts with their device, including keystroke dynamics, finger pressure on the keypad, and the angle at which they hold their phone. It enables persistent but completely transparent authentication throughout the banking session.
- Device Identification and Enrollment: Unique identifiers or characteristics, such as geolocation and IP address, “of a device are identified and used to authenticate by obtaining a complex digital ‘fingerprint’ of the device or by other secure identification techniques.”
With the rapid change of information technology, security controls, and threats related to the internet banking environment, I don’t expect the FFIEC to wait another decade to update its authentication guidance for FIs.
As one of the nation’s critical infrastructure sectors, it is crucial for the financial services industry to comply this guidance to protect customers and customer information, their brand reputation and shareholder value with effective authentication. While many FIs offer customers strong authentication solutions today, not all do. The good news for America’s banking customers is that if your financial institution has not already offered you the ability to use your own device for stronger authentication, chances are it will soon.