Multi-Factor Authentication ID/Password Challenge

Answered by:

Question:

Just completed listening to a CD that we purchased from you titled Multi-Factor Authentication. Unfortunately, I don't get a chance to ask questions, so I'm sending this one off to you in hopes that either Mary Beth Guard or someone familiar with the topic can answer. It was never mentioned whether adding another ID/password challenge is an acceptable form of additional authentication and where appropriate would satisfy the FFIEC directive for end of this year?

Answer:

Typical authentication methods employ at least one of the following:
* Something the user knows (e.g., password, PIN);
* Something the user possesses (e.g., ATM or smart card, security token); or
* Something the user is (e.g., biometric characteristic, such as fingerprint or retinal pattern).

Multifactor authentication to me has meant to use a second one of these and not the same one twice. It is very likely that if the first password was compromised, the second would be with it. Whereas a smart card or biometric identifier would be a separate layer from a password and independent of it. The password could be compromised easily in many ways including through a phishing scam, but the second layer of security would not. If a token generated code was used as an example, the code provided has a purposely short life span. It expires within minutes and would then be useless. A second password would provide little additional security.

First published on BankersOnline.com 7/24/06