Unitended Consequences of Two-Factor Authentication

Unitended Consequences of Two-Factor Authentication

In an editorial comment in the most recent issue of the Financial IT Security insert to the American Banker (no online copy available), Editor-in-Chief Holly Sraeel has some savvy observations for bankers about the recent FFIEC Guidelines that require banks and other financial institutions to enact dual-factor authentication procedures by the end of 2006.

The authentication guidance…has been labeled onerous, burdensome, and, with compliance set for 2006, costly. What many industry players fail to note is that such guidance is also long overdue. Current levels of authentication-generally single factor-is clearly inadequate, opens institutions up to greater vulnerabilities as criminals put their Internet skills to use and leave little room for institutions to take security beyond the tactical and into the strategic realm.

In other words, if banks, even small institutions, haven’t been thinking “strategically” about enterprise security, they should take this opportunity to do so. As Ms. Sraeel points out, such strategic thinking is necessary “given the pace of technological change and how adept criminals are at keeping pace with innovation.”

It was bound to happen. With the Internet’s meteoric rise for commercial use over the past seven years, it’s surprising that multi-factor authentication was not mandated sooner. Think of it this way: The more that institutions do to safeguard customer and corporate information, the less likely they are to incur losses (obvious) and other damages such as the lack of proprietary information affecting mergers, stock performance, and product launches (becoming more obvious).

Most important, though, the guidance could prompt financial institutions to look beyond what is expected; for larger institutions, this could mean giving customers and partners secure access to more online services. This can only be good for business, and well worth the investment in multi-factor authentication. For smaller institutions, the guidance will require that they identify third-party providers whose technology meets or exceeds the FFIEC guidelines and, in doing so, opens new doors of opportunity.

Obviously, Ms. Sraeel is a “glass-half-full” kind of woman. Another, less optimistic, observer simply asserted “that banks should just quit whining.” Holly put it much better than that other guy, whoever he was.

Leave a Reply

Your email address will not be published.