The Federal Financial Institutions Examination Council published an FAQ, hoping to clear up questions about October 2005 guidelines that mandate strong authentication when users are accessing personal information or conducting high risk transactions online. Banks were given an end-of-2006 deadline.
No extension will be granted! RSA Security Inc’s vice president of consumer marketing Amir Orad said. Others had hoped or assumed the guidelines would not be as strict on the time-line, and that is not the case.
The FAQ says the FFIEC’s member agencies are are not considering any general extension of the timing associated with this guidance, but was somewhat vaguer on what would happen to banks that miss the deadline.
This is helping them internally get the resources they need and the budget to do it, Orad told us. Budget for authentication purchases means revenue for authentication vendors.
Kerry Loftus, director of product management at VeriSign Inc, said he did not expect a massive uptick in business before the end of the year, but said slower-moving banks will be able to implement quicker with the benefit of early adopters’ experience.
Business has been solid since the guidance came out. I think we’ll just see a continuation of that pace through the end of this year, she said in an email interview.
We have seen some institutions holding back from addressing the guidance and this certainly puts them on the back foot from a timing perspective, she said. Their decisions will be more hurried but they will have the benefit of seeing which direction their peers have taken and can hopefully ‘fast follow’.
RSA and VeriSign are both in the two-factor authentication business, selling one-time password tokens that can be used alongside regular passwords to make accessing internet services more secure. Both companies also made acquisitions over the last year aimed specifically at serving financial firms under the FFIEC rules.
RSA bought Cyota and PassMark, and VeriSign bought SnapCentric. The three deals brought risk assessment technology on board that, rather than enabling a yes/no authentication decision, could calculate the risk of the user really being who they say they are, using factors such as IP and MAC address.
The October FFIEC guidelines could have been interpreted as meaning banks had to deploy tokens to their users, a pricey proposition that would have had many banks balking, but the new FAQ clarifies that so-called layered security systems, such as those RSA and VeriSign acquired, can be used in some circumstances.
Are the Agencies recommending multifactor authentication over layered security or other compensating controls? the FFIEC said in its FAQ. No, any of these controls may be an effective method to mitigate risk in accordance with the guidance, if properly implemented.
RSA’s Orad said that about 40 of the top 100 US banks have deployed its software. The vast majority have deployed the old Cyota software, which RSA now calls Adaptive Authentication. Fewer, including Bank of America, have deployed the PassMark system, which enables two-way authentication.
And fewer still have deployed SecurID hardware tokens, he said. Companies such as E-Trade have deployed SecurID, but only to its highest-value customers.
Further down the value chain, authentication startups like Passfaces Corp are hoping to tap into the credit union market through channel deals with online banking service providers – companies that offer white-label banking web sites for smaller firms.
From what we can gather, only about 20% of credit unions done anything about this, a lot of them will be relying on their service providers, said Paul Barrett, chief executive of Passfaces.
Passfaces, which offers authentication based on users’ intuitive ability to recognize faces, recently signed a deal with such a service provider, R.C. Olmstead, Barret said. The FFIEC FAQ specifically addresses this part of the market, saying banks can rely on service providers to run risk assessments, he noted.