If you have internet banking or telephone banking, the FFIEC multi-factor authentication guidance requires that you be ready by year end. This is an anonymous survey to check on preparations.

May I ask what others are actually using? I'm hoping for the grid card, or "bingo" card (as our provider calls it), but we may end up with the key token.

DI (digital insight) is our vendor. They are a pretty good sized vendor. They are basically using a combination of "placing a cookie on the pc" and the use of challenge questions for authorization. They will allow someone to use multiple computers (home, work, etc.) if they so choose.

We are going to have customers answer their security question for authorization in additon to ID and passcode, plus suggest they change passcode and security question every 30 days. We also review a daily login report that risk rates customer logins on various categories; anyone getting a high score we call. OCC was OK with this approach.

we use Digital Insight as well and their method seems reasonable and less cumbersome than having to change your password every 30 days

We will be using a challenge/response question. Has anyone actually done the risk assessment yet?

Don't you have to use any two of the following 3?
1. Something you know (password, pin#...)
2. Something you are (biometrics ~ fingerprint, retinal scan...)
3. Something you have (grid card, key token...)

How can they use a password AND a pin number, and still be in compliance?

Password plus Pin plus Challenge Question = non compliance in my understanding of the FIL. As Deppfan states you have to have 2 of the 3 to have dual authentification. Having 3 somethings you know instead of 2 doesn't cut it.

Gurus? Am I overthinking this, or do these companies need to re-read the FIL?

Both of these seem to be what the customer knows?

Okay, you guys had me questioning our decision as a bank. To clarify, our added security is not simply a challenge question but will monitor IP addresses, transaction patterns and the like. So anyway, I went back and reread the FFIECs guidance and Deppfan, the three things you listed are basic factors in authentication methodologies. From what I can understand of what I read, the level of security you choose is risk based and, according to the Conclusion paragraph, "Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks."

can something you have be a cookie installed on your computer after successfully answering 2 or three questions? if so, then somethgin you knwo if the password, and somethign you have is the cookie. right?

My question...exactly what does the FFIEC Guidance apply too? I am hearing (and reading in your poll) that more than just Internet Access should be considered. How have others interpreted this guidance (does it apply to telephone banking-whether automated or call center)? Thanks in advance!!

SarahH - just remember that regulators consider transactional websites to be high risk.

Thanks, I understand that. We actually have an exam next month so I will let you all know if they find our risk assessment and solution acceptable. According to our lead examiner they do not have a lot of guidance themselves yet so it should be interesting.

So then what I got from the guidance is that the reason we do the risk assessment is to determine whether or not single factor authentication is still a viable option. We did ours and determined that no it was not. So, we looked to our internet banking provider to see what options they would be providing. They had two options and we went with the more vigorous of the two. Not that I want the examiners to get here any quicker but I am real curious to hear from them what they find acceptable.

OK - I've been out of banking (in a compliance role) for approximatley 14 months. I am unfamiliar with the m utli-factor authentication. Where can I find out more information, please?

Skittles, you can get the guidance from the FFIEC website. I don't know how to do the "click here for the link", sorry.

Skittles here is the link
http://www.fdic.gov/news/news/financial/2005/fil10305.html

hi guys...we offer bill pay on our website, but customers may add "PEOPLE" to their billpay payees. thsi seems really risky to me...I'm callign it high risk, but has anyone esle heard of banks allowing this? i thought you could only set up companies for bill pay, nto individual people.

your thoughts?

Do you have your own bill payment service, or do you have another company that actually is the provider?

We are also a DI bank and was wondering if you had gotten a response about the risk assessment. I have been reading everything that DI has produced regarding the assessment and just not sure where to start.

Green Armor Solutions is offering a free multi-factor authentication checklist on its web site:

http://www.greenarmor.com/a-checklistforum.shtml

I attended a PBS seminar on Compliance and Internet Banking last week and this issue came up. The instructor indicated that the regulators weren't requiring institutions to have thier multifactor authentication in place by year end, only that they had taken reasonable steps towards getting it in place. His reasonable steps included:

- risk assessment
- implementing a customer awareness program

thoughts?

What is everyone doing for the customer awareness program?
How are you going about educating the customers?