Authentify and FFIEC Guidance Compliance

In August 2001, in response to the growth in banking by remote electronic means, the FFIEC issued its first guidance for Authentication in an Electronic Banking Environment. The purpose of the document was to specify sound practices for authenticating the identity of new customers enrolling via electronic means and verifying the identity of returning customers. The seeds of the "arms race" between security practitioners of e-banking and cybercriminals were planted.

In October 2005, the FFIEC issued additional guidelines, Authentication in an Internet Banking Environment . The intent was to advise financial institutions offering Internet-based products and services to use effective methods to authenticate the identity of customers using those products and services. Specifically, single-factor authentication (username and password alone) were cited as not providing sufficient protection for Internet-based financial services. The supplement recommended two-factor authentication (2FA) as needed to protect accounts capable of being accessed online. Out-of-band authentication (OOBA), via telephone, was specifically cited as one of the acceptable second factors along with Knowledge Based Authentication (KBA) and others. For more on Authentify in two-factor authentication schemes, click here.

In 2011 the FFIEC issued Supplemental Guidance to the 2005 document.

The 2011 revisions specifically point out that stronger and layered authentication have become requisite to protect financial accounts. The FFIEC pointed out that man-in-the-middle (MITM) and man-in-the-browser (MITB) exploits were capable of interfering with transactions as they were being executed by a legitimate user. Keyloggers and other malware that 'harvested' account credentials permitted cybercriminals to use an account when the legitimate user was not logged on at all. Typical challenge response questions used for KBA were described as no longer adequate for strong account protection.

Authentify has the most experience with out-of-band authentication practice in the world. Having pioneered phone-based, out-of-band authentication in 1999, Authentify offers considerable expertise in transaction verification and its variants. Schemas might include:

  • An out-of-band phone call that audibly repeats transaction details to the end user for their approval. "Hello, if you are transferring twenty-five hundred dollars to an account ending in 5678, please press…"
  • An SMS message that displays transaction details and a one-time verification number the Web site expects to have entered to complete the transaction
  • Audible or SMS visual delivery of a one-time PIN (OTP) to confirm the transaction "Hello, to confirm a transfer of forty one hundred dollars, please enter the following number in the space on the Web page…"
  • Visual display and approval of transactions within an app on smart phones, tablets or windows desktops. (Authentify 2CHK)
Authentify 2CHK app

From a single vendor and using a single familiar technology, Authentify can provide:

  • Strong Two-Factor Authentication for Account Logon
  • Authentication and Verification of Address Changes
  • Authentication and Verification of Payee additions or modifications
  • Electronic Funds Transfer Confirmations
  • Transaction Verification for individual or "batched" transfers and payments at SMB's
  • Global Service to any country in any spoken language

Want to Learn more?

Authentify currently has integrations with most of the popular risk engines from vendors such as RSA, Symmantec and Actimize as well. For more information, contact an Authentify representative.

Receive more information: info@authentify.com