Getting stronger

Last October, an obscure government body called the FederalFinancial Institutions Examination Council (FFIEC) issued asecurity guideline that banks are treating as a mandate. Startingin January 2007, financial institutions must provide consumers ofonline financial services the same protection enjoyed by customersusing a debit card to buy groceries or gas: strong authentication.

Strong means two or more types of identity verification in returnfor access. At the grocery store or gas station (or, for thatmatter, the ATM), those two factors are usually a plastic card anda pass code. Online banking, on the other hand, still primarilyworks with “weak” single-factor authentication: a password.

Strong authentication is meant to take a McGruffian bite out ofonline crime. And, on the surface, it appears that forcing banks toadd a second factor of authentication (such as a fingerprint or asmart card) to a password could improve the deteriorating state ofonline security. But experts say it’s not a slam dunk that a secondfactor would significantly reduce emerging risks. According tosecurity guru Bruce Schneier, “Two-factor authentication will forcecriminals to modify their tactics, that’s all.”

The timing of the requirement has little to do with recent consumeroutrage over identity theft. Michael Jackson, chairman of the FFIECIT subcommittee that drafted the directive, says the organizationdecided that authentication technology was finally good enough tomake a de facto mandate realistic.

Most banks expected this; some were planning two-factorauthentication initiatives anyway. Nevertheless, complying with theFFIEC’s order may place a significant burden on all but the largestbanks.

“To compete, we have to give away Internet banking for free andonline bill-paying for free,” says Gerald Rome, director of IT atFirst American Bank & Trust in Vacherie, La. “You can’t addthis and keep doing everything for free.”