What is Effective Authentication?

Top Methods for Conforming to FFIEC Authentication Guidance
What is Effective Authentication?
With the release of updated online authentication guidelines from the Federal Financial Institutions Examination Council, the need for effective strategies to mitigate known online risks has never been greater for banking institutions.

The FFIEC will begin checking for conformance with the updated guidance in January 2012, which includes stipulations for adequate multifactor authentication and ongoing internal risk assessments.

Multifactor authentication, as it's defined by the FFIEC, comprises three basic factors:

  • Something the user knows [e.g., password, PIN];
  • Something the user has [e.g., ATM card, smart card]; and
  • Something the user is [e.g., biometric characteristic, such as a fingerprint].

While various authentication techniques may be effective, every method can be compromised. Layered security, therefore, is suggested as being the most effective.

Here is a list of some of the authentication measures regulators and experts suggest banks and credit unions employ to effectively thwart cyber-fraudsters.

Out-of-Band Authentication

Out-of-band authentication validates online transactions through an outside channel, such as a mobile device. This technique is deemed effective at curbing fraud that results after a desktop PC is compromised.

In "review and respond" authentication, a text alert can be sent to a consumer's mobile phone after a transaction is initiated. If the transaction is fraudulent, the consumer can immediately call the card-issuing bank or credit union to alert the institution.

Using "review and release" during a card-not-present transaction, the consumer can approve or deny a purchase via SMS/test message or phone call.

Improved Challenge Questions

Today, most banking organizations require challenge questions for web authentication, but those questions have been criticized by regulators for being overly simplistic and easy to compromise. Question responses that involve a user's date of birth or pet name - information that many users divulge freely on social networks - are not considered strong when it comes to authenticating identity.

By asking more specific questions, whose answers cannot be easily found on social networking sites like Facebook and Twitter, financial institutions can better protect their customers and members.

Challenge questions should be out-of-wallet, meaning, if a thief stole a person's wallet, the information in it couldn't be used to answer a question, such as "What year were you born?" Some possible questions include:

  • "What year was your first child born?"
  • "What was the model year of your first car?"


Biometrics is an effective authentication method that relies on "something a person is." Fingerprint recognition and facial recognition are gaining greater acceptance in the biometrics realm.

Smart-phones could aid in the development of biometrics authentication. Inexpensive software installed on a mobile device, such as an iPhone, could be used to scan an iris or record a voice, producing a biometric for authentication.

Tokens and Scratch Cards

Tokens [something a person has] are another method. Tokens are self-contained devices that physically connect to a computer or device. They often have small screens where one-time passwords are displayed, providing users with codes to enter for transaction authentication.

While they create an additional layer of security, tokens are prone to fraud, as the recent breach of RSA's SecurID tokens proved.

Scratch cards offer a less-expensive alternative, but have their vulnerabilities as well, since they're easy to lose. A scratch card is similar to a bingo card and contains numbers and letters arranged in row-and-column format. When verifying or authenticating a transaction, the user is asked to select characters contained in a randomly chosen cell or column on the scratch card.

IP Address and Geolocation

Monitoring a user's IP address can be effective when it comes to device identification. But IPs can be spoofed easily, and the advent of mobile browsing has given IP addresses a fluid nature they did not have in the past.

Vendors have begun offering software that identifies several data elements, including location, anonymous proxies and domain name.

Geolocation, on the other hand, determines where a user is or is not. Software inspects and analyzes small bits of time required for Internet communications to move from endpoint to endpoint across the network. The electronic travel times are converted into cyberspace distances. After these cyberspace distances have been determined, they are compared with cyberspace distances for known locations.

The problem with geolocation, however, is that it currently produces results only for land-based or wired communications; it's not ideal for wireless networks.

Anomaly Detection

While improving authentication at the customer end is critical, financial institutions can't guarantee fraud is being mitigated. Anomaly detection should be a minimum requirement, experts say.

Device identification and log analysis play key roles in verifying user transactions. Both techniques, when used together, can shed light on behavior that could otherwise go undetected.

Anomaly detection works at an individual account holder level. It seeks to monitor an account holder's specific online behavior. If a user is performing unusual actions, anomaly detection will spot that.

Device identification helps indicate if a device logging in is trusted or not. When combined with other anomaly detection and anti-malware techniques, the institution can create a very comprehensive solution.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.