The method of capturing customer's IP address meet the standards of the FFIEC multi-factor authentication guidance issued in Oct 2005? For example, at enrollment, the customer's IP address would be captured. Then the next time the customer logs in, they would need to enter their username and password and if the IP address didn't match, they would not be able to log on.

I interpreted this the same way you did. The FFIEC guidance indicates that IPA location can be used as another authentication method. The guidance, however, provides appropriate warnings about this method (e.g., spoofing IPA's, non-static IPA's, wireless access, etc.). But if your institution's risk assessment on electronic banking services and products adequately supports the IPA location method ... then it appears the method should be appropriate (in theory) ... (I just haven't seen this signed-off in practice yet ... maybe someone out there has?)

So, what you are saying is that you are going to limit your customers to only accessing your internet banking system from one PC that has a static IP address. That virtually eliminates any transaction not done on a home PC, and then even some of them. Do you really want to limit your customers in that manner? What good is internet banking if it is not portable? Personally, it would be of no value to me as I spend most of my time on the road and that is why I have it.

Randy ... I had similar thoughts as you ... but depending on the sophistication and demand of the customer base ... they may be "ok" with that arrangement. Otherwise ... I agree ... it does not appear to be a practical solution for customers that travel.

I appreciate your insight. But, no, we are planning to use a different method of second authentication for our Internet Banking system. But, we were looking into the IP method for our credit card website. These are two different systems.

What our system will do (and others that I have looked at as well) is that if it doesn't recognize your IP address, it will default to the security questions set up when you originally signed up for internet banking. When you can successfully pass the security questions, the IP address of the computer you are currently using can be "registered", or if you choose, it won't be registered and you would just answer the security questions whenever you are away from home.

So, it's not a big deal.

Another solution that we have done for our system for authentication, is to let customer to choose IP numbers that they will use. (it can be selected as Country IPs exp one customer told that he just wanna use in UK and Turkey, so we closed all other country IPs for him)

So customer can define both home and office PCs.

And surely you can let them to select the hours that they wanna use internet banking.